Image: Peter Kruse

Security researchers from the Romanian antivirus vendor Bitdefender have discovered a botnet that infects home routers and other Internet of Things (IoT) smart devices and then tries to mine to cryptocurrency.

This is the third IoT botnet that wastes its time trying to mine cryptocurrency on devices that clearly do not support this type of operation.

Short history of LiquorBot

The botnet, called LiquorBot, was first noticed in May 2019, according to a report that Bitdefender published yesterday.

The botnet is nothing special in terms of technical possibilities. It works just like any other IoT botnet that has been documented in recent years. Below is a brief summary of the functions of LiquorBot:

Uses the following exploits to infect routers and smart devices (usually routers): CVE-2015-2051, CVE-2016-1555, CVE-2016-6277, CVE-2018-17173, CVE-2017-6884, CVE-2018- 10562, CVE-2017-6077, CVE-2017-6334, CVE-2016-5679, CVE-2018-9285, CVE-2013-3568, CVE-2019-12780

Uses a list of 82 combinations of username and password to brutally force the SSH service of smart devices that have not changed the default password

Can infect devices that run on CPU architectures such as ARM, ARM64, x86, x64 and MIPS

Is controlled from a web-based command and control (C&C) server

The only new detail of LiquorBot is the fact that the malware is a version of the Mirai strain that has been rewritten in the Go programming language – but it is.

Wasting his time

Most IoT botnets nowadays usually appear within weeks or months. LiquorBot is a strange case because it remained active throughout 2019.

Bitdefender says that the malware has often received updates, usually in the form of new exploits. However, the most interesting update was included in October.

The company says the LiquorBot code has been extended with a module that tried to mine the Monero (XMR) cryptocurrency on infected devices.

The module itself is pretty useless, since the entire botnet is based on infected routers, above all else.

Small Office Home Office (SOHO) routers are inexpensive devices that lack the CPU and hardware capabilities to adequately mine cryptocurrency – which is a very resource-intensive operation.

In the past, other IoT botnets have also wasted their time pinpointing cryptocurrency on SOHO routers, with little success and with dropping all attempts within a few weeks, mainly due to the low yields that the hacked devices received.

The first IoT botnet that experimented with the feature was a Mirai-based botnet that was operated from China in March 2017. The botnet experiment with a Bitcoin mining module for one week before the module was completely removed.

The second was an IoT malware strain called Linux.MulDrop.14, detected by Dr.Web in June 2017. This botnet was targeted at Raspberry Pi devices, where it also tried to mine Bitcoin. Although Raspberry Pi devices have access to more hardware sources than your regular SOHO router, this botnet also did not break the bank and stopped its experiments after a few weeks.

The discovery of these two botnets in 2017 encouraged researchers to investigate the possibility that IoT botnets could be used as mining companies for cryptocurrency. At the time, Errata Security estimated that if a Mirai botnet of 2.5 million bots would mine cryptocurrency, it would only earn a meager $ 0.25 a day, making the idea that IoT botnets could ever be used for cryptocurrency mining. would be taken away.

Apparently the author of the LiquorBot did not receive the report.