DDG is a mining botnet that specializes in exploiting SSH, Redis database and OrientDB database servers. We first caught it on October 25, 2017, at that time, DDG used version number 2020 and 2021, and we noticed that the botnet has two internally reserved domain names that had not been registered. So we went ahead and registered the two domain names so we were able to measure the infections, (4,391 infected IPs) The original blog is here.
Some botnet goes away after we release the analysis report, such as http81 (persirai), but the DDG stays.
Three months after the release of our first DDG report, in May 2018, DDG got some major updates. Version 3010 and 3011 appeared, we also witnessed the authors effort to polish the 3011 so he can get the mining part work.
On June 12, we captured that DDG.Mining.Botnet released yet another new version 3012 with yet another c2 address. For all the technical details, please check our detailed DDG blog here.
List of DDG Updates
The following figures describe some high level overview and comparison between different DDG versions.
From the figure we can see:
- Version Update: Starting from October 2017, DDG has released three major version of 201x, 202x, and 301x, and six minor-versions.
- C2 IP address: Four major C2 IPs have bee used.
- Module structure: Three major modules, propagate, keep-live, and mining
- Infection method: Brute force attacks on the SSH server and unauthorized access by the Redis server (2017-10 to date). In versions 201x and 202x, the Struts2 and OrientDB database servers were also targeted for infection.
- Wallet Address: Three wallet addresses. And the file name of the mining program normally the same as the last 5 to 6 strings of the wallet address.
- Redundancy: The author always keeps two versions of the botnet running at the same time to provide fault tolerance. After the 301x version, the author also started to use multiple mine pools for redundancy. Such as mining pool hk02.supportxmr.com, pool.supportxmr.com, xmr-asia1.nanopool.org, xmr-us-west1.nanopool.org, and mining pool proxy 18.104.22.168,22.214.171.124
- Profit: According to our incomplete statistics, DDG's wallet addresses have received at least 7,425 Monroe coins just from Monero.crypto-pool.fr.
- HUB: DDG uses a group of hacked servers to provide download service to infected hosts. Each DDG version update refreshes this HUB_IP list. See the IoC section at the end of this article for infected IPs.
For Sinkhole, we sinkholed two unregistered domain names for DDG version 2020. Although the DDG 2021 version were quickly released and removed these two domain names, we were still able to get an accurate number of the infections. At that time, we recorded a total of 4,391 victim IP addresses. The main victims were China (73%) and the United States (11%):
DDG C2 List
126.96.36.199 India/IN National Capital Territory of Delhi/New Delhi 188.8.131.52 Hong Kong/HK Central and Western District/Central 184.108.40.206 United States/US Nevada/Las Vegas 220.127.116.11 United States/US Missouri/St Louis