Linux Systems with Exposed SSH Ports, Targeted by Python-Based Botnets
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Linux Systems with Exposed SSH Ports, Targeted by Python-Based Botnets

Mining cryptocurrency with a botnet comprised of Linux-based systems.

Cybersecurity experts believe that a band of experience cybercriminals have created a botnet made of Linux-based systems and is using them to mine Monero, a cryptocurrency.

RELATED: What is Mining Cryptocurrency?

Apparently, this group of cyber-crooks is using brute-force attacks against Linux systems with exposed SSH ports. If they can find the correct password, they use a Python script to install a Monero miner. Per F5 Networks, attackers are also using a known exploit for the JBoss server (CVE-2017-12149) to help break vulnerable systems, but their primary tactic now seems to be brute-forcing systems with exposed SSH ports.

This attack differs from others of its ilk in that relies on Python scripts and not malware binaries.

Per F5:

“Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated… It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution.”

How does this work?

After infecting a victim, the hacker then downloads an initial, very simple base62-encoded “spearhead” Python script that gathers information on the infected system and reports back to a remote C&C server. That server then sends a second Python script in the form of a Python dictionary file that installs a version of Minerd Monero mining client.

Experts say they identified two Monero wallets used by this botnet, which they named PyCryptoMiner. One contained 94 Monero and the second contained 64 Monero, for an approximate total of $60,000.

A Legacy of Bad Action

This doesn’t appear to be the group’s first foray into malfeasance online. The C&C domain names used by PyCryptoMiner are registered to someone with ties to over 36,000 domains names and 234 other email addresses, all of which have been previously used for scams, gambling and pornography.

The ploy does seem to have worked though, at the time F5 published its finding the botnet was down and out of service, but the people behind it had raked in over $60,000. That makes this a relatively small mining botnet, but also serves to illustrate just how lucrative this type of activity can be when it’s done correctly.



Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.