A new Montero botnet scanning campaign involving JBoss servers was observed mid-December. This exploited the CVE-2017-12149 vulnerability. They concern incorrect data deserialization by JBoss. The bots sent a request to the “/invoker/readonly” url, via 6 TCP ports utilized by JBOSS. They recorded them at a C&C IP server of all computers, which responded with the error code 500 that included the “Jboss”/”jboss” string. The intercepted computers were then used to mine the Monero cryptocurrency (an occurrence that is quite common nowadays), and to scan downstream computers.
Backup control server
One more aspect was unusual about the malware. The bot system, apart from the C&C server address, also came with a link to a public pastebin.com file, which included the address of a backup C&C server. In the event of unavailability or blocking of the basic address, the attacker could easily redirect the botnet onto any other server controlling it.
Botnet profits from Montero mining amounted to USD 60k over two weeks.
—
Do you need cybersecurity solutions for your company – contact us.
