Bondnet Botnet Hijacks Windows Server Machines to Mine Monero and ZCash

It was only a matter of time until a new botnet would start making the rounds. It appears this new type of malware originates from China, albeit that has not been officially confirmed at this stage. So far, the botnet is comprised of 15,000 infected Windows Server machines, all of which are mining cryptocurrencies. Interestingly enough, the primarily mined cryptocurrency is Monero, and not Bitcoin.

Crypto-mining Botnet Has Grown More Powerful

It is always quite interesting to take note of new malware types designed to mine cryptocurrencies. Over the past few years, the world has seen multiple iterations of such malware. In most cases, these nefarious tools hijack computers to mine Bitcoin or even Dogecoin. However, that situation has come to change thanks to this newly discovered botnet.

To be more specific, the Bondnet botnet is capable of infecting any machine running the Windows Server operating system. It was first spotted back in December of 2016 when it had seemingly enslaved a handful of machines. That number has now grown to 15,000 controlled machines, all of which are used to mine a wide variety of popular cryptocurrencies. First and foremost, the infected machine will try to mine Monero, a cryptocurrency focusing on privacy and anonymous transactions.

However, it appears this malware can mine other cryptocurrencies as well. Interestingly enough, the developer of Bondnet has no interest in mining Bitcoin, Ethereum, or Litecoin right now. Instead, they opt to mine ByteCoin, RieCoin, and ZCash. These are quite interesting choices, although the hardware they hijack lends itself to profitably mining these coins over time. With 15,000 machines under the criminals’ control, they can mine a respectable amount of cryptocurrency at no additional cost.

This particular botnet has grown exponentially thanks to a time-consuming process. The developer relies on different techniques to infect machines all over the world. It is possible a combination of brute-force attacks and weak RDP credentials is the main source of distribution at this stage. Additionally, a lot of Windows Server-based machines run other server software, which can be exploited, including MSSQL, Apache Tomcat, and phpMyAdmin.

As one would somewhat expect, once the assailant gains access to the computer, he uses a Remote Access Trojan to control the machine moving forward. Installing a cryptocurrency-related miner becomes a trivial matter at that point. Over half of the infected machines run Windows Server 2008 R2, although a good portion runs Windows Server 2012 R2. It is evident nearly all popular versions of this operating system are prone to getting hijacked.

What is rather intriguing is how this botnet seems to gain and lose new bots every single day. The growth has all but stagnated, yet it remains a big threat until the matter can be properly resolved. Server administrators will need to step up their security game to prevent servers from getting hijacked for cryptocurrency mining purposes. Luckily, a detection and cleanup utility has been released by security firm GuardiCore.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.