The Splunk Threat Research Team revealed yesterday a cryptocurrency-mining malware campaign targeting Windows servers on Amazon Web Services (AWS). Once those instances are compromised they’re enlisted into a crypto botnet that, according to the report, has ties to a similar campaign that was active in 2018.
Splunk explained that the attack relies on the Telegram API that “malicious actors can [use to] turn desktop clients of compromised hosts into bots as they can issue commands remotely, download additional tools and payloads.” The campaign effectively uses the messaging service as its command and control infrastructure.
“In a typical attack with Crypto Botnet on Telegram, threat actors first break into Windows servers and proceed to install several tools found in hacking forums such as NL Brute, KPort Scan and NLA Checker,” Splunk said. “All these tools target Windows servers with weak passwords using RDP protocol brute force tools.”
Once those tools are installed, the malware’s operators install Telegram’s desktop client so they can use its API to distribute mining tools related to Monero, a cryptocurrency that claims to be “private and untraceable.” That makes it an excellent option for crypto botnet operators hoping to cover their tracks. Monero also happens to be one of the few cryptocurrencies where CPU mining can still turn a modest profit (especially if you’re stealing CPU time).
Splunk said that it found a Monero wallet that “has been observed in previous campaigns dating back to 2018.” The company also said the campaign itself “involved the use of cryptomining payloads and very similar exploitation techniques,” which could indicate that it’s being conducted by the same people.
AWS customers running Windows servers were advised to make sure they regularly patch their operating system, install the latest security updates, stop using weak passwords, and consider enabling Network Level Authentication to mitigate the potential impact of these brute force attacks.