Go-Based LiquorBot Adapts Cryptomining Payload to Infected Host
A cryptomining botnet has been attacking unpatched routers since at least May 2019. It exploits a small set of critical vulnerabilities and targets multiple CPU architectures.
Named LiquorBot, the malware is written in Golang (Go) a programming language that has a syntax similar to C but presents some advantages, such as memory safety and garbage collection.
12+ versions in less than a year
Researchers at Bitdefender first saw LiquorBot on May 31, 2019, and tracked its evolution to a version discovered on October 10. Between these dates, 11 releases were identified:
| SHA1 | Package path | First seen |
| 2901d4ee7f289bf0b1a863bec716d751f66a4324 | /home/woot/webliquor/ | May 31st 2019 |
| 1bee367d72c472e5991435479cfdecdf3b6e65db | /home/woot/webliquor/ | June 4th 2019 |
| 2d1d294aac29fab2041949d4cb5c58d3169a31d3 | /home/woot/webliquor/ | June 7th 2019 |
| b9dd4d230d103b3db458d752d4917466ec1cb9b0 | /home/woot/webliquor/ | June 10th 2019 |
| 31176239ab5187af5d89666f37038340b95a5a4e | /home/woot/webliquor/ | June 14th 2019 |
| c6d850e264d7d8d6978cd85d69c22b29378e34e4 | /home/woot/webliquor/ | June 26th 2019 |
| c59dd90f7cefadaa80d9c0113f8af39e4ed0c1a1 | /home/woot/liquorv3/ | July 24th 2019 |
| 8df16857cb914f5eded0249cfde07f1c01697db1 | /home/woot/Desktop/GoNet/ | Aug 8th 2019 |
| 8364c272e0c95ed214c71dbcb48f89c468544bc8 | /home/woot/Desktop/ExNet/ | Sep 11th 2019 |
| bb07341ab6b203687845ae38cd8c17dfc947e79f | /home/woot/Desktop/MineGO/ | Sep 13th 2019 |
| 331ec23c250b86d912fa34e0e700bfcac1a7c388 | /home/woot/Desktop/MineGO/ | Sep 30th 2019 |
| 63b556a0afcf643337310254cc7f57c729188f36 | /home/woot/Desktop/MineGO/ | Oct 1st 2019 |
| 5821ff8eb9b23035a520e1fb836e43b1ec87ffaf | /home/woot/Desktop/MineGO/ | Oct 10th 2019 |
At its core, LiquorBot is a re-implementation of the infamous Mirai but with a cryptocurrency mining feature instead of a distributed denial-of-service (DDoS) component.
It is cross-compiled for ARM, ARM64, x86, x64, and MIPS architectures and the dropper script downloads all the payloads regardless of the CPU architecture.
LiquorBot has multiple command and control (C2) servers and communicates with them periodically, reporting vulnerable devices and getting commands:
- wpceservice.hldns.ru
- ardp.hldns.ru
- bpsuck.hldns.ru
Each of the above servers is used interchangeably as a C2 server, for Monero cryptocurrency mining, and for hosting the binaries.
Old bugs and brute-forcing
As for the targets, Bitdefender found that the malware seeks devices vulnerable to CVE-2015-2051, CVE-2016-1555, and CVE-2016-6277. It also uses some command injection (1, 2) and remote command execution flaws in several router models (D-Link, Netgear, and Linksys).
Exploiting these vulnerabilities is not the main compromise method as the malware relies primarily on SSH brute-force attacks that use a dictionary with 82 username/password combinations.
While this method is seen in most versions of LiquorBot, a release from July 24 adds the vulnerability exploits to increase its reach.
It is worth noting that although the malware releases have versions, they do not indicate the evolution of the botnet. The cryptocurrency component was introduced in version 0.2, released in October, while the version from July that adds new propagation methods was labeled 0.6.
LiquorBot is under active development and the authors are likely to further refine it in 2020. Updating your router, if possible, is the easiest way to defend against this sort of threat.
If no longer supported, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators to replace them with alternatives that are still maintained by the vendor.
Gloss