A botnet of thousands of compromised servers of varying power named Bondnet has been found mining various cryptocurrencies—and it’s ready to be weaponized immediately for other purposes, such as mounting Mirai-style DDoS attacks.
According to GuardiCore Labs, among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The bot has enslaved more than 15,000 machines to date, according to GuardiCore, distributed across 141 countries in six continents. About 2,000 servers representing 12,000 cores report to the Bondnet C&C every day.
Active since December 2016, Bondnet primarily mines Monero, and it earns around $1,000 per day. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to US dollars. Its operators are likely China-based, the firm said.
“In this campaign, the attacker’s objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power,” explained GuardiCore researchers, in an analysis. “This is why our attackers focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power.”
While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the command and control (C&C) servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers.
“Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack,” researchers noted. “It also provides high-availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet.”
Thus, while organizations can treat this as an issue of increased electric bills (which the firm said can annually result in additional costs of $1,000 to $2,000 per server), this may only be the tip of the iceberg.
“With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions,” researchers warned. “Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network.”
The attacker behind Bondnet breaches the victims through a variety of public exploits for old vulnerabilities and weak user/password combinations, and, once successful, installs a Windows Management Interface (WMI) trojan that communicates with a C&C server. Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Up-to-date server patching and the use of strong administrative passwords can help thwart infections.