Python-Based Botnet Targets Linux Systems with Exposed SSH Ports

[LASER_oneXM]

Experts believe that an experienced cybercrime group has created a botnet from compromised Linux-based systems and is using these servers and devices to mine Monero, a digital currency.

Crooks are apparently using brute-force attacks against Linux systems that feature exposed SSH ports. If they guess the password, they use Python scripts to install a Monero miner.

According to experts from F5 Networks, attackers have also started using an exploit for the JBoss server (CVE-2017-12149) to break into vulnerable computers, but the SSH attacks and brute-force attacks represent this new botnet's bread and butter.

Python scripts are harder to detect
The attack is unique when compared to other Monero-mining botnets that have arisen in recent months, relying on Python scripts, rather than on malware binaries.

"Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated," F5 experts say. "It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution."

Despite this, once researchers identified samples of the malware, its construction wasn't that complex.

How the PyCryptoMiner malware works
Experts say that after infecting victims, crooks download an initial and very simple base64-encoded "spearhead" Python script that gathers info on the victims' system and reports to a remote C&C server.

The server replies with a second Python script in the form of a Python dictionary file that installs a version of the open-source Minerd Monero mining client.

Experts say they identified two Monero wallets used by this botnet, which they named PyCryptoMiner. One contained 94 Monero and the second contained 64 Monero, for an approximate total of $60,000