A Monero-mining botnet targeting Redis and OrientDB servers has infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017.

The botnet —named DDG based on one of its modules— targets Redis servers via a credentials dictionary brute-force attack; and OrientDB databases by exploiting the CVE-2017-11467 remote code execution vulnerability.

“[DDG] aims for database servers because database servers are normally equipped with more CPU and memory, which means [they are] more powerful mining machines,” Li Fengpei, a security researcher with Qihoo 360’s Netlab team told Bleeping Computer yesterday.

Botnet has infected nearly 4,400 databases

Netlab has managed to sinkhole traffic heading towards the botnet’s C&C servers for two weeks. The company said it observed 4,391 servers trying to call back to the DDG botnet’s command-and-control servers.

Most infected servers were located in China (73%), with the US in a distant second (11%).  Redis databases seem to make up the bulk of this botnet, accounting for 88% of all infected hosts, while OrientDB instances make up for only 11%.

DDG infection chart

The botnet seems to have ramped up operations in the past three months, just as Monero price has started to climb. There’s been a steady stream of Chinese sysadmins complaining about finding botnet malware artifacts on their database servers in the past few months [1, 2, 3].

Crooks might have made as much as $1.585 million

By analyzing the DDG malware samples, Netlab says crooks mined Monero using three wallet addresses. Researchers were able to confirm that crooks made 3,395 Monero, which is worth…