Infects servers and earning around a thousand dollars a day

This new botnet coming out of China and was discovered by researchers at GuardiCore Labs.

The infected systems (up to 15,000 Windows servers) make up a wide variety of government, corporate, university, city and hospital computers.

Currently the botnet seems focused on using the infected computers to mine a variety of cryptocurrencies such as ZCash, RieCoin and Monero: however, could be weaponized in order to starting DDoS attacks.

The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more.

Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day.

The primary targets seem to be Windows 2008 and Windows 2012 servers equipped with MySQL: the creators used a wide variety of exploits to infect a targeted system, exploiting known vulnerabilities in JBoss, Oracle web apps, MSSQL, Apache Tomcat and with a brute force on RDP in order to discover week passwords.

Detection and remediation

GuardiCore has published a VBS script useful for detect if your machine is infected and for clean it.

References

https://www.reddit.com/r/netsec/comments/698hoa/the_bondnet_army_a_botnet_of_thousands_of/