It may have seemed the sky had fallen, causing agents and servers across the globe to go rogue, as the Bondnet 007.01 botnet army seized victims to do its bidding.
GuardiCore Labs researchers spotted the botnet composed of thousands of compromised servers that look to infect victims through a variety of public exploits to install a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server, according to a recent post.
The villain behind the madness appears to be financially motivated as they are using the majority of the victims to mine Monero cryptocurrencies earning nearly $1,000 a day while others servers are used to conduct attacks, serve up malware files or host C&C servers.
And although the botnet is smaller than Mirai botnet, researchers said it has more than 20,000 unique victims and is relatively sophisticated, while other mining botnet operators are content with leaving a persistent miner, Bondnet leaves a backdoor capable of full control of the system, GuardiCore Vice President of Research Ofri Ziv,told SC Media.
“When we started to analyse the Bondnet C&C logs, we came across the victims IPs. In this list we also saw IPs of the attacking machines,” Ziv said “Those machines were communicating with the C&C. At this point we understood that every machine we've seen so far, including the C&C servers themselves, was also a Bondnet victim.”
So far, the malware's victims have included high profile global companies, universities, city councils and other public institutions, which have all been served the malware, shaken and stirred.
The botnets has a diverse toolkit which includes obfuscated Visual Basic code, WMI MOF files, custom mining software alongside a Golang based web server forked from public repositories, and browser extensions to hijack traffic just to name a few.
The botnet is unique as it allows the operator to take full control of victims and creates multiple access points that will allow it to return. Unlike other IoT botnets, Bondnet victims are servers which unlike IoT devices, are practically always connected to high bandwidth connections, which are valuable due to their strong computing capabilities.
Researchers suspect the cybercriminal behind the attacks is acting alone based on their habit of reusing their own code and having very simple constructs. The hacker is also believed to be based in China due to their copying and pasting code into their tools from Chinese websites even though non-Chinese websites are equally available, the different treatment of Chinese infected servers, and the C&C server which is compiled on a Chinese computer.“Organizations should be concerned anytime they're breached, but the focus on this case is that the attacker can easily return to the machine to conduct more illegal actions such as data exfiltration, ransomware or lateral movement using the victim as a starting point,” Ziv said. “We've observed hundreds of servers with sensitive information saved on them, for instance mail and CRM servers, which is quite alarming.