Unmasking PyCryptoMiner: How a Python‑Based Botnet Hijacks Linux Servers for Monero Mining

Overview

F5 Networks security researchers discovered a Linux‑based cryptomining botnet named PyCryptoMiner . The malware targets Linux hosts with publicly exposed SSH ports and attempts credential guessing to gain access.

Key Characteristics

Implemented in Python, which facilitates obfuscation and evasion.

If the primary command‑and‑control (C&C) server is unreachable, the botnet falls back to a Pastebin account (user WHATHAPPEN) to retrieve new C&C server addresses.

The domain registrar associated with the C&C infrastructure is linked to over 36,000 domains, many historically used for scams, gambling, and adult services.

Used to mine Monero (XMR), a privacy‑focused cryptocurrency. By late December 2017 the botnet had mined roughly 158 XMR (94 XMR + 64 XMR), valued at about $46,000 at that time.

Exploits CVE‑2017‑12149 to add a scanning module that targets vulnerable JBoss servers (observed in mid‑December 2017).

Infection and Operation

After successful SSH credential guessing, PyCryptoMiner drops a base64‑encoded Python script. The script contacts the C&C server to download and execute additional Python payloads. Collected host information includes:

Hostname/DNS name

Operating system name and architecture

CPU count and utilization

The script also checks whether the host is already infected or already being used for Monero mining or JBoss scanning.

Timeline and Activity

Researchers estimate the botnet has been active since August 2017. The associated Pastebin page was viewed 177,987 times, averaging about 1,000 new views per day.

Financial Impact

The two Monero wallets controlled by the botnet held 94 XMR and 64 XMR respectively, worth approximately $46,000 at the time of reporting.