The new botnet uses ngrok.com to connect bots to the C & C server.
A team of Netlab researchers from the Chinese company Qihoo 360discoveredan unusual botnet used for the crypto currency. Its main difference from other botnets is that the bots connect to the remote server not directly, but through the service ngrok.com.
The ngrok site is a simple reverse proxy server that allows users to connect to servers located behind firewalls or on local machines without a public IP address. Service is very popular with the corporate sector, since with its help employees can connect to the internal networks of their companies. In addition, it is used by independent developers to show customers the applications they develop.
Typically, a user deploys the server to their local computer, registers with the ngrok.com site, and receives a public URL in the form [random_string] .ngrok.io. This link, for example, the developer can provide his customer for a preview of the project being developed.
Netlab researchers discovered a botnet, whose C & C server is located behind the network of ngrok proxy servers. Among other things, the C & C server got good protection against attempts to disable it. This is possible due to the fact that ngrok URLs remain online only for 12 hours, so by the time the security experts discover the URL of the C & C server, it will already change. Thus, the botnet is more tenacious than its “colleagues” with C & C-servers on popular hosting platforms.
Currently, malware infects such applications and content management systems as Drupal, ModX, Docker, Jenkins, Redis and CouchDB.