Due to its association with Python programming language and crypto-mining, the researchers have aptly named it PyCryptoMiner. The botnet leverages Pastebin.com to receive new command and control server assignments in case the original server stops responding.
This technique is pretty unique as most of the malware have no way to switch to another C&C server. Also, file hosting services like Pastebin.com can’t be easily blacklisted or taken down, which allows the PyCryptoMiner attacker to easily update the server as per convenience.
The botnet targets Linux systems with exposed SSH ports. If it’s successful in guessing the password, it uses its Python script to talk to C&C server and install Monero miner on the machine. In the recent years, with the rise of IoT, this trend of targetting Linux machines has become popular.
As PyCryptoMiner attack uses a scripting language-based malware instead of a binary, its operations are more covert. The bot also performs a check to see if the target machine was already infected by the malware.
The operator behind the botnet has been found to be associated with 36,000 domains and 235 email addresses; many of them are related to online scams and adult services.
As per the findings, two pool addresses used by the botnets were paid about 64 and 94 Monero, which is about $60,000. The overall impact and profit made by the botnet creator remain unknown.
Find more technical details about the PyCryptoMiner botnet on this page.