Cybercriminals, presumably from China, control a botnet out of 15 thousand. Compromised servers running Windows Server, used to generate crypto currency, mainly Monero. In addition to mining, hacked systems are also used to attack other hosts.

The first botnet discovered by the researchers of GuardiCore. Based on the hints left in the source code of malware, experts determined that the botnet is managed by a grouping called Bond007. 01. Botnet, called Bondnet, appeared in December 2016 and quickly gained power. As already mentioned, at present it includes 15 thousand. Compromised systems with more than 2 thousand. Daily active bots.

According to researchers, hackers Bond007. 01 built their network with a variety of techniques. In particular, attackers use various exploits and perform brute force attacks on computers with weak passwords for RDP.

Regarding exploits, hackers exploit vulnerabilities in phpMyAdmin, JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL, Apache Tomcat, Oracle Weblogic, and so on..

By exploiting the vulnerability, with the help of DLL scripts and Visual Basic hackers download and install on the victim system trojans for remote access (RAT) and the crypto currency miner. In addition to Monero, the botnet generates ByteCoin, RieCoin or ZCash. All the computers that it contains are running Windows Server, and 55% of them are running Windows Server 2008 R2.