The Bondnet botnet- From China with Love

Pierluigi Paganini May 06, 2017

The new Bondnet botnet “Bond007.01” recently discovered coming out of China and it has infected an estimated 15,000 Windows server computers world-wide.

There’s a new botnet in town and it’s named after the spy with a license to kill – James Bond. The new Bondnet botnet “Bond007.01” was discovered coming out of China by researchers at Guardicore Labs and it has infected an estimated 15,000 Windows server computers worldwide. The infected systems make up a wide variety of government, corporate, university, city and hospital computers.

So far the Bondnet botnet has not been weaponized but instead seems to be focused on using the thousands of slaved computers to mine a variety of cryptocurrencies such as ZCash, RieConin, and what appears to be its primary target, Monero.

“Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day.” states the report published by Guardicore.

Crypto-currency mining is a mechanism used to introduce more currency into the system. Miners are often paid a small transaction fee as well as a “subsidy” of newly created electronic coins. Crypto-currency mining is a very computer resource intensive effort and can consume the availability of infected machines to the point of making them useless to the owners.

The Bondnet botnet, which has been reportedly in operation since late 2016, produces over $1,000 a day in mined currency.

The prime targets for the Bondnet attacks seem to be Windows 2008 servers equipped with MySQL however, the creators have a wide variety of targets and exploits they employ to infect a targeted system. The primary attack surface appears to be Windows RDP combined with brute force attacks against weak credentials.

Bondnet botnet

The attackers also used a wide range of attacks against other web server software including JBoss, Oracle web apps, MSSQL and Apache Tomcat. Researchers have confirmed the Bondnet attacks seen so far are limited to Windows based server systems with 2008 and 2012 releases facing the brunt of the assault.

Once the Bondnet intruder has broken through into the Windows system it then installs a series of Visual Basic programs, DLLs and Windows management programs to act as a Remote Access Trojan (RAT) and the crypto-currency mining system. The RAT allows back door access for the Bondnet controllers and the mining system reports back with its results so the controllers can profit from the stolen computer usage.

While the Bondnet botnet creators are stealing computer time and resources to obtain their digital bounty, there are darker forces that can be unleashed. The Bondnet botnet is managed and controlled remotely by the unknown users and thus can also be weaponized to form a DOS attack network, a ransomware net or be used for simple passive surveillance.

Guardicore and other researchers have not seen any indication that the Bondnet operators are interested in data stored on the infected systems. Instead, they are concentrating their efforts on stealing the computer time for the crypto-currency mining operations. The speculation is that the amount of money earned by the Bondnet stealthy mining techniques exceeds what could be obtained via extortion by ransomware or DOS attacks.

However, the added usage and power consumption inflicted by Bondnet botnet reportedly costs victims as much as $2,000 a month and the potential of the Bondnet to be weaponized into something more sinister shows just how dangerous it is.

“While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning.” warns the analysis. “With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network.”

Owners of Windows server based systems are advised to monitor usage carefully, update their software to the latest versions to close security holes, raise the level of their password and credential employment and run a complete check for the Bondnet using AV security products.

Guardicore has released a full technical report on the Bondnet, a removal tool and an analysis of its operations at:

About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bondnet botnet, cybercrime)

[adrotate banner=”13″]

you might also like

leave a comment