Malware Threatens to Turn Search Engine into Crypto Mining Botnet

Samuel Haig

Cybersecurity firm Trend Micro has discovered a new malware strain that threatens to turn the enterprise search engine Elasticsearch into a cryptocurrency mining botnet capable of being used in a distributed denial of service (DDoS) attacks.

Malware Differs From Conventional Profit-Motivated Attacks

Trend Micro describes the new malware as different from typical “profit-driven” attack by “delivering backdoors as its payload.” According to the cybersecurity firm: “these threats can turn affected targets into botnet zombies used in [DDoS] attacks.”

The malware attacks its victims by searching for “exposed or publicly accessible Elasticsearch databases/servers.” The virus is specifically designed to exploit an old Elasticsearch exploit that has since been updated.

The virus then invokes “a shell with an attacker-crafted search query with encoded Java commands,” before downloading a malicious script from an already compromised website that attempts to shut down the infected computer’s firewall. The malware ceases any existing cryptocurrency mining activities, in addition to any computational process that may interfere with its operation, and then removes traces of the initial infection. The virus then downloads a second script, again from a compromised website.

The cybersecurity firm stated that “the ways that the scripts are retrievable are notable,” which used expendable domains which “allows the attackers to swap URLs as soon as they are detected.”

Hackers May Just Be Getting Warmed Up

Trend Micro states that the virus “bear[s] the hallmarks of the BillGates malware,” which was first discovered in 2014 and can be “used to hijack systems and initiate DDoS attacks.” The cybersecurity firm notes that it has recently seen variants of the BillGates malware involved in various “botnet-related activities”.

Trend Micro speculates that the actors behind the virus may be “just testing their hacking tools or readying their infrastructure before mounting actual attacks,” highlighting that the attackers “used URL encoding, staged where the scripts are retrieved, and compromised legitimate websites.”

During the first quarter of 2019, Cisco’ Talos Security Intelligence and Research Group reported a sudden spike in the number of malicious actors targeting unsecured Elasticsearch servers. According to Cisco Talis, the attacks leveraged “old vulnerabilities to pass scripts to search queries and drop [...] both malware and cryptocurrency miners on victim machines.”