A URL that is being used to spread a Monero mining botnet that bears a striking resemblance to a similar botnet created by the Outlaw hacking group has been identified by TrendMicro’s Security Intelligence Blog. So far, TrendMicro says that the botnet is still in its testing phase, although infection attempts have been attempted in China.
“Haiduc,” the group’s primary hacking tool (and the Romanian word for “outlaw”) is a Perl-based shellbot that exploits vulnerabilities in the Internet-of-Things.
While the group’s previous operation appeared to rely on Haiduc to search the internet for vulnerable systems that it could attack, the malware is reportedly primarily being spread through a malicious URL this time around. The URL contains a Monero-mining script as well as a backdoor-based exploit.
Once the URL has been accessed, or Haiduc has discovered a vulnerability, the botnet uses a brute force attack exploit to grant hackers with remote access over their victim’s systems. After the attackers have control, the malware downloads the cryptocurrency miner payload. If there is already cryptocurrency mining software installed on the system, the malware deletes it.
CEO Spotlight: Alon Rajic on the Future of UK/EU Trade and EconomicsGo to article >>
This kind of involuntary crypto mining, known as “cryptojacking,” brings hackers around the world over $250,000 worth of cryptocurrency per month, according to research by RWTH Aachen University in Germany.
DDoS For Hire
The bot is also reportedly “capable of launching distributed denial-of-service (DDoS) attacks, allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.”
DDoS attacks happen when multiple systems (i.e., bots or compromised computers) attempt to overwhelm the bandwidth of another targeted system (usually a website or web server). If the attack is successful, the system will be so overwhelmed that it will be inaccessible by anyone besides the person launching the attack.
DDoS attacks have been particularly common in the cryptosphere around token sales, when certain token buyers may want to prevent other buyers from having access to the tokens, or if a malicious actor wants to hurt the performance of a token sale for another reason.
John McAfee’s new crypto trading platform, McAfeeMagic, suffered a DDoS attack shortly after its launch this week, according to reports from Yahoo Finance.