First detected in 2016, DDG is a Monero-mining botnet that targets Redis servers via brute-force attacks against SSH port 22 and OrientDB servers via the CVE-2017-11467 remote code execution vulnerability. This botnet seeks to generate revenue for the developers by leveraging the powerful mining resources of infected servers and utilizes three Monero wallet addresses. Since March 2017, DDG has infected approximately 4,400 servers and mined over $925,000 worth of Monero. DDG employs a simple script that can be easily altered by threat actors to deliver different malware variants, including versions of Mirai. The majority of infected servers appear to be located within China, with a small percentage in the United States.
The NJCCIC recommends users and administrators of Redis servers update database account credentials with lengthy and complex passwords, disable root login via SSH, and enable two-factor authentication for SSH. Users and administrators of OrientDB servers are encouraged to update their software as soon as possible.
Reporting and Technical Details:
- February 2018: DDG: A Mining Botnet Aiming at Database Servers (360 Netlab Blog)
Image Source: 360 Netlab Blog