Python-based botnets PyCryptoMiner turn Linux machines into mining robots

by do son · January 9, 2018

Security researchers at F5 Networks have discovered a new Linux encrypted botnet and named it “PyCryptoMiner,” whose main target is a Linux system with a public SSH port.

According to the researchers, PyCryptoMiner mainly includes the following five features:

Based on the Python scripting language, this means hard to detect
Receives a new C & C server allocation using Pastebin [.] Com (under the username “WHATHAPPEN”) when the original Command and Control (C & C) server is not available
Domain registrants are associated with more than 36,000 domain names, some of which have been known for fraud, gambling and adult services since 2012
Was used to mine Monero, a cryptocurrency favored by cybercriminals and highly anonymous. As of late December 2017, PyCryptoMiner has mined Monroe, worth about $ 46,000
Leverage CVE-2017-12149 Vulnerability, Introducing New Scanning Features for Vulnerable JBoss Servers in Mid-December

Unlike binary malware alternatives, Python-based scripting languages make PyCryptoMiner more confusing and more averse. In addition, it is executed by a legitimate binary.

PyCryptoMiner propagates by trying to guess the SSH login credentials of the target Linux device and if successful, it will deploy a simple base64-encoded Python script for connecting to the C & C server to download and execute additional Python code.

This Python script also collects information about infected devices, including the host / DNS name, operating system name and architecture, CPU count, and CPU usage, and it also checks if the device is already infected and if the infected device is used Monroe dig or scan.

The researchers confirmed through the information provided on the Pastebin [.] Com page that PyCryptoMiner may have been launched as of August 2017. In the survey, the resource has been viewed 177987 times, and about 1000 times a day will be added.

When querying the domain name “zsw8.cc” of these C & C servers, the registrant name was found to be “xinqian Rhys”

Domain registrants are associated with more than 36,000 domain names, some of which have been known for fraud, gambling and adult services since 2012.