Windows Server instances on AWS hijacked to mine cryptocurrency

(Image credit: Shutterstock / Yevhen Vitte)

Cybersecurity researchers at Splunk have shared details about what they believe to be a re-emergence of a cryptocurrency botnet that’s specifically going after Windows Server running on Amazon’s cloud computing platform, Amazon Web Services (AWS).

Based on their detailed analysis, Splunk's Threat Research Team (STRT) says the campaign against AWS’ IP address space seems to originate from Chinese and Iranian IP addresses.

“The malicious actors behind this botnet specifically target Windows Server operating systems with Remote Desktop Protocol,“ reads Splunk’s advisory.

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

Protect your devices with these best antivirus software
These are the best malware removal software on the market
Here are the best ransomware protection tools

After homing in on the targets, the attackers brute force their way into the virtual machines (VM) and proceed to install cryptomining tools to mine for the Monero cryptocurrency.

Telegram-powered C2 infrastructure

Interestingly, the STRT shares that all the compromised VMs had the executable binary for the Telegram Desktop client. The researchers reason that the attackers used this to help tie the compromised VMs into their botnet.

Threat actors abuse the Telegram API of the app’s desktop version, to execute commands on the compromised hosts and turn them into bots, which can then be made to automatically download additional tools and payloads.

According to STRT, the crypto wallet that the mined Monero is transferred to was also used in previous campaigns dating back to 2018.

Noting the other similarities between the current attack and the previous campaigns, including the use of similar exploitation techniques, STRT believes the current campaign is being conducted by the same threat actors that were behind the earlier campaigns.

Since the attacks don’t seem to be exploiting a software vulnerability, and are brute-forcing their way into the hosts, the researchers suggest admins review their passwords.

“As seen during our research, the best way to prevent these attack vectors is first patching your Windows servers and applying the latest security updates. The use of weak passwords is also a big factor in getting your servers compromised,” suggests STRT, adding that the use of Network Level Authentication (NLA) will also help thwart brute force attacks.

Check our list of the best firewall apps and services

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.