A Botnet Operator Mines for Cryptocurrencies Using 15k Vulnerable Servers, Making $1,000 a Day


A 15,000 servers strong botnet currently suspected of operating out of China is being used for mining cryptocurrencies. The botnet is made up of compromised Windows Server machines. Researchers believe attackers could easily take full control of this botnet, using infected servers for ransomware or data exfiltration.

Bondnet botnet mines cryptocurrencies worldwide

A malware developer is running a Windows Servers-powered botnet to mine for various cryptocurrencies, primarily Monero. Security researchers at GuardiCore report that the malware maker goes by the moniker of Bond007.01, lending the botnet its name of Bondnet.

A Call With Long Odds: Has the Price of Bitcoin Bottomed for Now?

The botnet appears to have been active since December 2016 and is primarily focused on the mining of Monero, a cryptocurrency popular among criminals. It is estimated that the botnet operator is making as much as $1,000 a day or over $25,000 a month. High profile global companies, universities, city councils, and other public institutions are among the botnet’s victims.

The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day.

The security firm further said that around 2,000 of the infected 15,000 machines report to the C&C each day, with the botnet adding around 500 new machines to the network daily, delisting the same number of servers at the same time too.

Coming to how these servers were infected, security researchers said the botnet operator used a number of old and new exploits to target Windows Server machines.

The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services.

The team discovered that the criminal installs up-to-date versions of the mining programs on the infected servers with scheduled tasks triggered hourly to make sure the mining process could survive reboots.

The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000. The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner.

Security researchers warned that while most victims are used for mining, some are also used to conduct attacks or serve up malware files. "While organizations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning," the team wrote.

"With relatively simple modifications, today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network."