A malware developer suspected of operating out of China is in control of a botnet of 15,000 compromised Windows Server machines, which he uses to mine for various crypto-currencies, and primarily Monero.

Based on clues left in his source code, security researchers from GuardiCore, who first discovered this botnet, say the crook goes by the nickname of Bond007.01, hence the botnet's name of Bondnet.

Bondnet used for Monero mining

First signs of this botnet's existence appeared in December 2016, but the botnet grew exponentially and has now reached 15,000 machines, with over 2,000 daily active bots.

GuardiCore researchers say Bond007.01 uses Bondnet to mine Monero primarily, but they've also seen him mine for other cryptocurrencies, such as ByteCoin, RieCoin or ZCash.

The way Bond007.01 grew his botnet was quite complicated and time-consuming, relying on different techniques. Experts say the crook employed a combination of various exploits and brute-force attacks on computers with weak RDP credentials.

While we've been seen crooks leveraging unsecured RDP endpoints for other types of cyber-crime, such as installing ransomware, Bond007.01 didn't shy away from doing the hard work of targeting servers via exploits.

Researchers say the crook used vulnerabilities in server software such as phpMyAdmin, JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL, Apache Tomcat, Oracle Weblogic, and others.

Bondnet attack vectors breakdown
Bondnet attack vectors breakdown

Once he gained a foothold on these systems via an exploit, the crook used a series of DLLs and Visual Basic scripts to download and install a remote access trojan (RAT) for backdoor access, and a cryptocurrency miner to profit from the hacked servers.

Bondnet targets only Windows Server systems

All the hacked servers were Windows Server machines, over half running Windows Server 2008 R2.

Bondnet victims breakdown
Bondnet victims breakdown

Infected machines weren't only used for crypto-currency mining, but also to launch attacks on new hosts.

At the time of writing, the botnet seems to be standing still. GuardiCore reports that Bond007.01 is currently gaining and losing about 500 bots per day.

Nonetheless, Bondnet's presence on the Interwebs is a sign that server admins need to rethink the security of their systems, patch old software, and employ stronger passwords to protect any account with remote access.

GuardiCore has also released a detection & cleanup utility to help admins find Bondnet bots and remove them from their servers. The tool and a technical analysis of the malware's modus operandi can be found in GuardiCore's Bondnet report.

Bondnet modus operandi
Bondnet modus operandi

Image credits: GuardiCore