A New Class of Cryptomining Botnet Emerges, Uses Reverse Proxies

Researchers at a cybersecurity company found a new style of botnet that could be a bit more difficult to track down.

It seems that every other day there’s a new botnet out there, and they’re mostly copies of one another. However, researchers at Chinese cybersecurity company Qihoo 360’s Netlab found a new type of botnet that takes things up a notch by using a reverse proxy service called ngrok for its payload server.

“This botnet hides its downloader and reporter server by using the ngrok reverse proxy service to periodically generate a large number of random subdomain names. The botnet master does not have control over what the subdomains will be, as the subdomains are generated randomly by the ngrok service, which in this case is actually a blessing for the botnet,” the researchers said.

Basically, ngrok creates a subdomain for the hacker, the hacker communicates the subdomain to all infected nodes, they connect to the server through the domain, and then proceed to mine coins. Using this method, it’s more difficult to track down exactly where the payload server is located.

When people cannot find the location of a server, they cannot determine what authorities they should contact or what service provider to submit complaints to.

“This miner campaign and its domain switching activity started from June this year. The C2 domain names are replaced in groups periodically and each group’s lifetime is less than 12 hours,” the researchers added.

Though this is a clever way to run a botnet, it isn’t the first time that hackers used reverse proxies to mine cryptocurrencies.

Another, cleverer, group of hackers hijacked Tesla’s Amazon Web Services account, turning its entire infrastructure into one big mining rig. This wasn’t the only trick they had up their sleeves, however.

In addition to compromising Tesla’s hosting infrastructure, they also managed to make their own mining pool and conceal its IP address using reverse proxy service CloudFlare. This particular move helped them avoid using public pools, which would have swiftly shut down any of their mining activities.

Looking through how sophisticated attacks have become in the cryptocurrency world, we shouldn’t be surprised if we soon see hackers take advantage of onion routing and I2P for reverse proxies, which would be far more difficult to take down than attacks using public services like ngrok and CloudFlare.