Threat Management

Cryptocurrency miners target web servers with malware

RubyMiner malware plants XMRig on vulnerable systems. Security researchers have discovered malware aimed at  Linux and Windows servers running to mine cryptocurrency.


According to researchers at Check Point, attackers have used malware called RubyMiner to infect systems with a cryptocurrency miner called XMrig.


Researchers said in a blog post that over a 24-hour period last week, hackers attempted to compromise 30 percent of networks worldwide in order to find vulnerable web servers in order to mobilise them to their mining pool. It said that among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed.


Security firm Certego also noticed a huge spike in attacks as well. It said in a blog post that the exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. 


According to Check Point, the attacker attempts to use multiple web server vulnerabilities to inject the malicious code onto the vulnerable machines. “Among the targeted servers we found attacks on PHP, Microsoft IIS, and Ruby on Rails,” they said.


Check Point researchers said that the hacker also made use of known vulnerabilities within Ruby on Rails and Microsoft IIS. The Ruby on Rails base64 encoded attack vector exploits CVE-2013-0156.


The attacker sends a base64 encoded payload inside a POST request in the hope that the ruby interpreter configured on the server will execute it.


“This is a very simple bash script that adds a new entry in the crontab of the host. The cronjob is executed once per hour (notice the number 1: it means every first minute of every hour) and it downloads the file robots.txt via wget. The file is piped through bash, so most probably it's a text file containing a shell script,” said researchers at Certego.


Check Point researchers said that it is interesting to note that the scheduler isn't just being told to run the mining process every hour, it is being told to run the whole process, which includes downloading the file from the server.


“This is possibly to allow the attacker to initiate an immediate kill switch for the miner bot. If the attacker would like to end the process on the infected machines, all that needs to be done is modify the robots.txt file on the compromised webserver to be inactive. Within a minute, all the machines re-downloading the file will be receiving files without the cryptominers,” said Check Point researchers.


Check Point said that one of the domains used in this attack, lochjol.com, was seen being used in another attack back in 2013. The previous attack also leveraged the vulnerability in Ruby on Rails, and shares some common features with the current attack


“Nonetheless, we cannot determine the connection between the two, and, even if they share a common attacker, their purposes seem to be different,” said researchers. “In 2018, as in 2017, we continue to see blitz campaigns, leveraging unpatched vulnerabilities in many networks. This attack, like its predecessors, could have been prevented by simply patching old servers and deploying relevant security measures.


Javvad Malik, security advocate at AlienVault, told SC Media UK that as cryptocurrencies gain popularity and value, they become a more attractive target to cyber-criminals.


“Due to the fact that more and more variants emerge frequently, businesses should keep systems updated where possible, and invest in threat detection and response controls that can detect where malicious techniques are being used to mine cryptocurrencies,” he said.


Andy Norton, director of threat intelligence at Lastline, told SC Media UK that Monero is taking over as the “bad boy” of cryptocurrencies due to its fungible nature and CPU friendly algorithm.


“Mining payloads are becoming much more prevalent,” he said. “100 percent of internet connected networks experience compromise attempts on a daily basis. Best practice guidance on protecting infrastructure remains unchanged.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds