New Python-based cryptominer botnet flying under the radar


F5 threat researchers have discovered a new Linux crypto-miner botnet that is spreading over the SSH protocol. The botnet, which we’ve named PyCryptoMiner:

  • Is based on the Python scripting language making it hard to detect
  • Leverages (under the username “WHATHAPPEN”) to receive new command and control server (C&C) assignments if the original server becomes unreachable
  • The registrant is associated with more than 36,000 domains, some of which have been known for scams, gambling, and adult services since 2012
  • Is mining Monero, a highly anonymous crypto-currency favored by cyber-criminals. As of late December 2017, this botnet has made approximately US $46,000 mining Monero
  • New scanner functionality hunting for vulnerable JBoss servers was introduced mid-December exploiting CVE-2017-12149

Targeting online Linux systems to construct botnets is a very common attack vector in the wild, especially in the last couple of years with the rise of IoT devices. We recently noticed an interesting crypto-miner botnet that seems to be going under the radar. Based on the Python scripting language, it seems to be spreading silently. Unlike a binary malware alternative, a scripting language-based malware is more evasive by nature as it can be easily obfuscated. It is also executed by a legitimate binary, which could be one of the PERL/Python/Bash/Go/PowerShell interpreters shipped with almost every Linux/Windows distribution.

Botnet Operation
Once a scanning bot has successfully guessed the SSH login credentials of a target Linux machine, it will deploy a simple base64-encoded spearhead Python script which, in turn, connects to the command and control (C&C) server to fetch and execute the additional Python code.

However, this botnet creator is using another interesting trick. Most malwares hard-code the address of their C&C server, so when it is taken down, the attacker has no way to tell the botnet to switch to another C&C server. Here, the attacker is using to publish an alternate C&C server address if the original one is unreachable.

One of the challenges that adversaries need to deal with is how to maintain a sustainable C&C infrastructure without being quickly blacklisted by enterprise security solutions, or being frequently shut down by ISPs and hosting services following law enforcement and security vendors’ abuse reports.

Many of these adversaries use “bullet-proof” hosting services, however, a more sophisticated approach that attackers are now using is public file hosting services like and, which cannot be easily blacklisted or taken down. This technique also allows the attacker to update the address of the C&C server whenever they need to.

Note: At the time we were writing this article, the C&C servers of the botnet stopped being accessible, making all newly infected bots idle, polling for the “” page. However, the attacker could update the page at any time to a new C&C server that could take control over the botnet again.

Being exposed as a public resource allowed us also to discover more information about this operation. It seems to have been running since at least August of this year because the username “WHATHAPPEN” created the resource on Aug. 21, 2017. At the time we were writing this article, this resource had been viewed 177,987 times, however, because we learned that the same bot might continue to periodically ask this resource if the C&C server is down, we could not determine that this number represents the size of this botnet. This number is climbing by about 1,000 a day.

Full analyse from F5 labs team you can READ HERE

Related posts

Leave a Comment