GuardiCore Labs Discovers “Bondnet” – A Botnet For Mining Cryptocurrencies
GuardiCore employees are world-class cybersecurity professionals based out of Tel Aviv and San Francisco. The firm uses in-house innovations to detect and stop advanced threats to data centers in real-time. A recent posting is their latest effort to inform and educate likeminded parties about the dangers affecting networks and ecosystem synergy.
The hack, conducted remotely by an entity known as leebond986 and/or Bond007.01, was a financial shakedown using over 15,000 computers across major institutions, high-profile companies, and universities to mine VCs, primarily Monero, as well as to install malware, host command and control servers, and initiate further attacks.
GuardiCore Software, installed on servers around the globe, alerted company analysts about the Bondnet early on. By streaming the initial threat information through the GuardiCore Global Sensor Network, investigators were able to compile live metrics regarding the unknown malware and attack vectors for investigation after the fact. The postmortem seems to point to a single actor who initiated a botnet recruitment scheme from Hong Kong utilizing a known configuration weakness in phpMyAdmin. The attacker also deployed dynamic-link-libraries alongside an encoded Visual Basic script, which went undetected by multiple antivirus and malware repositories installed across the infected network.
The complexity of the overarching strategy used by Bond007.01 is contrasted by the simplicity of the constructs employed and an apparent habit for reusing code. Moreover the reused code was copied and pasted from Chinese websites over and over again despite the fact that non-Chinese sites are equally available to them, leading GuardiCore to suspect the attack came from China. Adding to this hypothesis is the fact that the BondNet command and control server is compiled on a Chinese computer, and the code handles desktop victims from China in a different manner compared to all other victims.
Using a combination of technical wizardry and weak password cracking to attack mostly Windows servers, vectors were uncovered involving known phpMyAdmin config bugs, exploits in JBoss, Oracle Web Application testing Suite, ElasticSearch, MSSQL, Apache Tomcat, Oracle Weblogic as well as other popular services. According to the GuardiCore post, the thread running through these exploits is a compilation of “Visual Basic files that download and install a remote access Trojan (RAT) and a cryptocurrency miner.”
GuardiCore classifies this attack as a low-risk high-reward scheme. Whoever Bond007.01 is, they have been earning around a thousand dollars a day from mining Monero and other virtual currencies since December 2016. While experts continue to insightfully retrace the attacker’s steps, economic gain is the leading theory behind Bond007.01’s hack. For more information about Bondnet, including how to check whether your computer is infected, GuardiCore has provided a detection & cleanup script on their website.