Researchers report a renewed activity of Crypto Botnet targeting virtual servers running Windows Server on Amazon Web Services and operated likely out of Iran and China.
According to Threat Research Team (STRT) at cybersecurity company Splunk, the malware works by hijacking RDP-enabled instances and then uses the Telegram desktop client command and control communications.
Splunk’s analysis of the attacks revealed that the attackers specifically look for Windows Server instances that are running on AWS and use RPD protocol.
The attackers then go back to their old tricks: brute-forcing passwords. This method works best if the target system has weak passwords. If successful, they install cryptomining malware that mines the Monero cryptocurrency.
The attackers use Telegram messaging app to send commands and control messages and download additional tools.
“Telegram is used to download further exploitation and botnet expansion tools such masscan, kport scan and NLA Checker. These tools are used for internet rapid scanning and NLA checker is a tool used for checking RDP connectivity,” researchers wrote in a recent report.
Splunk detected a Monero wallet that was used in a 2018 wave of attacks that also involved Crypto Botnet. This time around, the attack uses resources that are from China and Iran. Malicious domains are believed to be hosted in China, while Telegram channels and victim machines are from Iran.
According to Splunk’s advice, users can protect against the attacks by applying the latest patches, implementing strong passwords, and enabling network-level authentication.
Not everyone is aware that RDP is not on by default. If it is, it should be turned off, the credentials to authenticate with RDP changed to strong ones.