Hackers Start Using Ngrok Reverse Proxy Technique in Cryptocurrency Mining
Hackers Start Using Reverse Proxy Technique in Cryptocurrency Mining
Lately, there has been an increased proliferation of botnets in the crypto space, most of which resemble each other. However, this trend seems to have changed after researchers from a Chinese cybersecurity company identified a new type of botnet. According to employees of Qihoo 360 Net6lab, this botnet uses a reverse proxy service known as ngrok for its payload server. Precisely, this botnet obscures both its reporter and downloader servers using the ngrok reverse proxy service to periodically generate a large number of randomized subdomain names. Due to the aforementioned randomization, the botnet master does not have control over the generated subdomains, a factor that works to the botnet's favor.
Fundamentally, the ngrok service establishes a subdomain for the hacker, who then transmits the subdomain to target nodes. Afterwards, the infected nodes connect to the server through the subdomain, from where they are used to mine digital currencies. The complexity of this method makes it difficult to pinpoint the exact location of the payload server. When the location of the payload server is unknown, investors are often left stranded because they do not who to blame and what authorities to contact. Regarding this, the Netlab researchers discovered that this domain switching activity stared in June 2018. Also, the subdomain names are replaced collectively after a maximum of 12 hours.
Another Reverse Proxy Hacking Incident
Although the ngrok botnet is efficient, it is not the first instance where malicious individuals have leveraged reverse proxy techniques to mine virtual currencies. Previously, craftier hackers hijacked an Amazon Web Services account belonging to Tesla, an established tech company. The cybercriminals altered the entire hosting server into a mining rig. Besides, they constructed their own mining pool and hid its IP address using the CloudFlare reveres proxy service. By doing this, the hackers avoided a potential shutdown which would have been implemented if they opted for a public mining pool.
As the days go by, hackers in the crypto space are advancing their methods by integrating the latest technologies. Soon, these cybercriminals might resort to employing techniques such as onion routing and I2P for reverse proxies. As opposed to ngrok and CloudFlare, which are public services, onion routing 12P are far much sophisticated and would require increased time and resources to take down.