Threat Research

V3G4 Botnet Evolves: From DDoS to Covert Cryptomining

Cyble
V3G4 Botnet Evolves: From DDoS to Covert Cryptomining

Keypoints

  • Infection begins with a universal shell downloader that detects CPU architecture and fetches matching Mirai-derived bot binaries from 103.149.93[.]224.
  • The Mddos.x86_64 payload is UPX-packed, statically linked, masquerades as systemd-logind, detaches from TTY, and spawns worker threads for attacks and C2 communication.
  • Infected hosts perform high-speed raw TCP SYN scanning to port 22 for SSH propagation and potential brute-force lateral movement.
  • C2 resilience is maintained via multi-threaded DNS queries to 8.8.8.8 resolving www.baojunwakuang[.]asia → 159.75.47[.]123, plus persistent TCP connections.
  • A concealed XMRig miner (dropped as /tmp/.dbus-daemon) fetches its configuration at runtime from the C2 server, leaving no on-disk config artifacts.
  • Stealth techniques include process masquerading, localhost TCP IPC (127.0.0.1:63841), tmpfs staging, and packed/stripped binaries to hinder analysis.
  • Operators blend DDoS/SSH-scanning capabilities with resource hijacking for cryptomining, indicating hybrid monetization of compromised Linux/cloud hosts.

MITRE Techniques

  • [T1592 ] Gather Victim Host Information – Collects system details (kernel, architecture, process limits) for registration and targeting (‘Collects system details using uname, process limits, architecture, and hostname for C2 registration’)
  • [T1583.003 ] Acquire Infrastructure — Infrastructure as a Service – Uses attacker-controlled servers (103.149.93[.]224, 159.75.47[.]123) to host payloads and C2 (‘C2 and payload distribution servers hosted at 103.149.93[.]224 and 159.75.47[.]123’)
  • [T1078 ] Valid Accounts – Attempts SSH brute-force propagation to gain access to other Linux hosts (‘SSH brute-force attempts to gain credentials and access additional Linux hosts’)
  • [T1059.004 ] Command and Scripting Interpreter — Unix Shell – Downloader script uses curl/wget to fetch and execute architecture-specific bot binaries (‘Downloader script uses curl/wget to fetch and execute the bot payload’)
  • [T1106 ] Native API – Uses syscalls (setsid, prctl) to detach, rename process, and evade detection (‘renames/processes set to appear like legitimate system services (e.g., systemd-logind)’)
  • [T1036.005 ] Masquerading – Renames process and attempts to modify /proc/self/cmdline to appear as systemd-logind (‘masquerades as system daemon (“systemd-logind”) using prctl(2) & modifies “/proc/self/cmdline”’)
  • [T1027 ] Obfuscated/Encrypted Files or Information – UPX-packed and stripped binaries to complicate static analysis (‘Payloads are UPX-packed and stripped to complicate analysis’)
  • [T1564.001 ] Hide Artifacts — Hidden Files/Directories – Drops miner as /tmp/.dbus-daemon to blend with legitimate files (‘Miner dropped as /tmp/.dbus-daemon to blend with legitimate files’)
  • [T1016 ] System Network Configuration Discovery – Discovers networking details to inform scanning and registration (‘High-speed SSH scanning across the Internet… crafts SYN packets to port 22’)
  • [T1082 ] System Information Discovery – Gathers kernel, architecture, and host identifiers during initialization (‘gathers basic information about the victim, including kernel and architecture details via uname(2)’)
  • [T1021.004 ] Remote Services — SSH – Leverages SSH scanning/brute-force to propagate and move laterally (‘High-speed SSH scanning across the Internet… indicating automated scanning and potential brute-force activity’)
  • [T1071.004 ] Application Layer Protocol — DNS – Multi-threaded DNS queries to 8.8.8.8 to resolve C2 domain and maintain connectivity (‘spawns multiple worker threads that each perform DNS queries against 8.8.8.8 to resolve its C2 server’)
  • [T1571 ] Non-Standard Port – Uses non-standard/ephemeral ports and localhost listeners for C2 and IPC (e.g., 159.75.47[.]123:60194, 127.0.0.1:63841) (‘Localhost TCP listener on 127.0.0.1:63841’ and ‘159.75.47[.]123:60194 used to fetch miner configuration’)
  • [T1498 ] Network Denial of Service – Botnet has DDoS capabilities consistent with Mirai-derived strains (‘Capable of launching DDoS attacks’)
  • [T1496 ] Resource Hijacking – Deploys XMRig to mine Monero and consume system resources for profit (‘Deploys XMRig to consume CPU resources and mine Monero for financial gain’)

Indicators of Compromise

  • [IP Address ] C2 and distribution – 159.75.47[.]123 (C2/miner host), 103.149.93[.]224 (HTTP server hosting bot binaries)
  • [Domain ] C2 domain – www.baojunwakuang[.]asia (resolves to 159.75.47[.]123)
  • [URL ] Download endpoints – hxxps://103.149.93[.]224/bins/Mddos.x86_64 (x86_64 bot), hxxps://159.75.47[.]123/bins/xmrig.x86_64 (cryptominer)
  • [File Name / Path ] Dropped/malicious files – /tmp/.dbus-daemon (masqueraded xmrig miner), Mddos.x86_64 (bot binary)
  • [Network Socket/Port ] Local and remote sockets – 127.0.0.1:63841 (internal IPC listener), 159.75.47[.]123:60194 (miner configuration endpoint observed)
  • [Crypto Wallet / Pool ] Mining configuration – Wallet 4AAjsvwrMQxBJpExraeoqdKrV8bwz2kkJG7P4axGTSip46CjmCrvSa8dztbNC4n6XuLr8wiXYgxS9c979hpdmi6s3LCNNjaID, Pool Auto.c3pool[.]org:19999
  • [SHA256 Hash ] Binary hashes (examples) – 90e28c0d…96885 (xmrig.x86_64), 4ad4fe75…68852a (Mddos.x86_64), and 5 more hashes identified

Read more: https://cyble.com/blog/v3g4-mirai-botnet-evolves/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint