Cybersecurity researchers at Qihoo 360NetLab say they have identified a botnet (a network of coordinated computing devices) that is trolling the net to locate computers running Monero mining script and destroying the script.
The botnet is said to first look for the presence of a certain open ports in a system, which it then uses to enter a computer and track down and destroy a particular malware that mines the Monero cryptocurrency.
The malware script, called “com.ufo.miner,” once identified, is terminated by the botnet using uninstall and “suicide” commands.
Cybersecurity firm Trend Micro says that cryptocurrency-mining malware attacks have spiked 956% in the past year.
While crypto mining software is sometimes used legitimately by charities and free sites, in a mining malware attack, affected systems are secretly held hostage by software that can keep computers perpetually awake while forcing them to generate cryptocurrency in a process called “mining.”
This “CPU-engorging” process can not only increase a computer system’s power consumption, it can also damage processors.
Mining proceeds in malware attacks are sent to attackers’ online crypto “hot wallets,” and in some cases, a percentage goes to companies that make the malware, including Coinhive.
Researchers have previously identified a feature of malware that makes it capable of removing competing malware from a system, and Qihoo 360NetLab do not know whether this latest botnet, which they detected this September, is operating for good or simply to help usher in new malware.
Notably, rather than using a, “traditional DNS to communicate with the C2,” the bonnet is at least partly undergirded by a blockchain system, which could help the botnet obscure itself.
According to the researchers:
“The choice of Fbot using EmerDNS other than traditional DNS is pretty interesting, it raised the bar for security researcher to find and track the botnet (security systems will fail if they only look for traditional DNS names).”