Data centre security and breach innovator GuardiCore recently detected Bondnet – a remotely managed and controlled botnet that is currently used to mine different cryptocurrencies. According to a new report by GuardiCore, Bondnet is prepared for immediate weaponisation for other purposes, such as mounting DDoS attacks.
Tel Aviv-based provider of innovative solutions for real-time threat detection and automated attack mitigation GuardiCore recently detected a malicious botnet consisting of thousands of compromised servers of varying power through its GuardiCore Labs system. Called Bondnet, the botnet is remotely managed and controlled, and for the time being, is being used to mine several types of cryptocurrencies.
According to a report – The Bondnet Army – recently published by GuardiCore on its blog, Bondnet is ready to be immediately weaponised for purposes that include the mounting of DDoS attacks, similar to those seen by the Mirai malware. The botnet’s victims involve high profile multinational companies, universities, local government and city councils, and other public institutions.
The attacker responsible for Bondnet targets and breaches its victims by means of a variety of public exploits in order to install a Windows Management Interface (WMI) trojan that is able to communicate with a Command and Control (C&C) server. By these means, the financially motivated botnet, which currently operates under the name Bond007.01, is able to take complete control of the attacked servers for exfiltration of data, then hold it for ransom, while using the server to stage further attacks or other malicious activities.
Bondnet mainly focuses on mining the Monero cryptocurrency and has been active since December 2016. According to GuardiCore’s new report, Bond007.01 nets earnings of around a thousand dollars a day. In its new report, GuardiCore goes on to present detailed information about Bondnet, specifically highlighting its infection and persistence mechanisms, in addition to offering an explanation of the attack and control infrastructure underlying this botnet.
Bondnet by the numbers
• | Penetrated 15,000+ machines to date
• | Everyday 2000 machines – equals 12,000 cores – report to Bondnet C&C
• | Victim CPU core count varies from 1 to 64
• | Approx. 500 new machines added daily to the attacker’s network; around the same number of machines is delisted
• | Victims are distributed across 141 countries / 6 continents
Botnet recruitment & infection strategy
GuardiCore initially noted that the first attack, which originated in Hong Kong, explored a weak configuration in phpMyAdmin, allowing the attacker to deploy unknown DLLs and an encoded Visual Basic Script. Multiple Antivirus software mechanisms deployed by the botnet’s victims all failed to detect these files, as did known malware repositories.
GuardiCore then became aware of similar attack patterns that were repeatedly launched from different sectors worldwide, by way of separate attack vectors, all of which shared the same attack infrastructure. GuardiCore Global Sensor Network (GGSN) – a network of deception servers installed in multiple data centers around the world – detected the Bondnet in January 2017.
Using GuardiCore deception technology, GGSN streams threat information to GuardiCore Labs for identification and analysis of new attacks. Although the majority of victims are compromised for mining purposes, other victims are sometimes used to conduct attacks, upload malware files, or host C&C servers. The attacker then uses these compromised machines to expand the botnet attacking infrastructure, hiding these machines amongst legitimate servers.
The attacker’s key objective in this campaign is to mine cryptocurrencies, an activity which requires substantial amounts of CPU/GPU power, and hence the reason this attacker focuses on servers, as opposed to more vulnerable consumer IoT devices. Although the practice of Bitcoin mining has seen a shift toward larger commercial vendors, especially in China, the private mining of alternative cryptocurrencies is still relatively profitable, especially if the miner is not paying for power.
By building the attack infrastructure on top of victim machines, the attacker is able to better conceal his or her true identity, and the origin of the attack. In addition, this method provides high availability infrastructure, which can be especially helpful when relying on compromised servers, should one of the servers fail or lose internet connectivity.
For now, organisations still have the option of treating these attacks as an issue of increased electric costs potentially amounting to USD 1,000 – USD 2,000 extra per server, but GuardiCore’s reports stresses that this is likely just the beginning. With a few, relatively simple modifications, the Bondnet could be capable of utilising its complete control over an organisation’s compromised servers, which often contain sensitive information, to conduct further malicious and illegal activities. What today may just be mining, has the potential tomorrow to easily morph into a ransomware campaign, data exfiltration, or lateral movement inside the victim’s network.
To help you ensure that your machines are not – and do not become – infected, GuardiCore is offering its detection & clean-up tool, as well as a list of IoCs. To read the full report on The Bondnet Army with more detailed information about this botnet, click here.