Splunk spots Monero crypto-mining malware on Windows Servers on AWS

Get a free Techzine subscription!

Splunk, the data analysis firm, reported a resurgence of the Crypto botnet, a type of malware that attacks virtual servers running Windows Server inside Amazon Web Services. Splunk’s Threat Research Team (STRT) posted an analysis of the attack on Monday

In the report, it is thought that the attack starts with a probe for Windows Server instances running on AWS and those with a remote desktop protocol (RDP) enabled.

Once the target virtual machines are spotted, the attackers roll out the next gun; brute-forcing passwords. If this step succeeds, the attackers install crypto-mining tools to produce the Monero cryptocurrency.

Where the attacks are coming from

Telegram, the secure messaging app, plays a big role too. Attackers install it and use it to relay command and control messages. Splunk’s security team saw that one of the Monero wallets used was involved in a 2018 wave of attacks using the same botnet.

There is something different about the attack this time. The resources used for the attack are identifiable as being from Iran and China. China seems to be the most probable location of some malicious domains associated with the botnet.

Iran is the source of sites and Telegram channels that have left identifiable traces in the code of targeted machines.

What to do

Splunk offers some advice on what to do about this resurgence.

To avoid the attack, one has to stay updated with patches, use strong passwords and enable network-level authentication. Windows admins will also know that RDP is not usually on by default and there’s a reason for that.

What’s the advice if you don’t want to avoid the attacks? Well, switch on your RDP, use a generic password and wait for it to happen. Here’s a guide to the attack.