LiquorBot Botnet

LiquorBot is a newly observed Golang-based botnet, whose sole purpose appears to be mining Monero cryptocurrency.

Threat ID:: CC-3330
Category:
Threat Severity:: Low
Threat Vector:
Published:: 9 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

LiquorBot is a newly observed Golang-based botnet, whose sole purpose appears to be mining Monero cryptocurrency.

Affected platforms

The following platforms are known to be affected:

IoT devices

Threat details

Like most other Mirai-based malware, LiquorBot scans the Internet for vulnerable Internet-of-Things (IoT) devices before using known exploits or a list of hard-coded credentials to gain access to them.

Once installed, LiquorBot connects to several different command and control servers to download any intended payloads, before deploying a mining module.

Remediation steps

Type	Step
	To help detect and prevent an infection of LiquorBot, organisations should: Review the network security of IoT devices on the estate. Change any IoT device default usernames and passwords. Monitor Network, proxy and firewall logs for suspicious activity.

Type

Step

To help detect and prevent an infection of LiquorBot, organisations should:

Review the network security of IoT devices on the estate.
Change any IoT device default usernames and passwords.
Monitor Network, proxy and firewall logs for suspicious activity.

Indicators of compromise

Main indicators

URLs

ardp.hldns[.]ru
bpsuck.hldns[.]ru
Wpceservice.hldns[.]ru
systemservice.hldns[.]ru

MD5 Hashes

14592719e2a354633131bc238f07aa0cb9cce698
1611a8445085d1687c72b7e5a7c5602cbe580c8b
1f15195ddc1e4174674fbf5d1fc95ed0a7726f7b
2784a122089c20d5c02665da1241fe02f9ac90cc
2901d4ee7f289bf0b1a863bec716d751f66a4324
2d1d294aac29fab2041949d4cb5c58d3169a31d3
31176239ab5187af5d89666f37038340b95a5a4e
31d9ca734c5f4c1787131d3a1b6b91ca60e57794
331ec23c250b86d912fa34e0e700bfcac1a7c388
3453a96414e63a813b82c6d98fa3b76c1824abd8
36382165bb53a7ed9387a02e5b9baee36fe23f64
48c863e4ad23fb946386320f3a85391b54ba50ad
49602256c8d65d0620d5abe8011a78425c7ae177
54bdfa936c9eb4ea329ca35b95e471d51daef1d5
5821ff8eb9b23035a520e1fb836e43b1ec87ffaf
61abc90c20930c7615880ac9931778b48b9e6ebd
63b556a0afcf643337310254cc7f57c729188f36
65cd6a0371bdfffd7383907ba9a816e8e2e95da5
6c7a92d5d68b68ddba10af7ca6350cfb24b2595f
6d24c472b06e6f9ac3204ca768319d2b035a210a
8364c272e0c95ed214c71dbcb48f89c468544bc8
8df16857cb914f5eded0249cfde07f1c01697db1
a69f9f5f2ac15aec393ab68277ec268c0624fe91
b40f4f13b2b144946b165a2e4284c96fbc0d4682
b9dd4d230d103b3db458d752d4917466ec1cb9b0
ba55d92e3d7dba70205597433f1a98b35e4911b8
bb07341ab6b203687845ae38cd8c17dfc947e79f
c59dd90f7cefadaa80d9c0113f8af39e4ed0c1a1
c5adabbdbf641f3e53e3268af60ac1b26088aa6b
c6d850e264d7d8d6978cd85d69c22b29378e34e4
c7ed7241e2d21fa471b6bfd6b97b24b514b3c5f2
d216f33695421dfb17e69ed05aec46cf84b544b7
d59175ffacd8895362253a3bcb18637ced765fcd
d62cdd8f16a8f6b6cde5e8da633c224eab4765f2
e91f2d5df4ef43cb4c69b15de9a68c7ff2d4951d
fd65e6c5ae07c50c7d7639e2712c45324d4cf8de

Last edited: 29 June 2021 12:00 pm