Researchers have discovered a versatile cryptominer worm that propagates itself by exploiting vulnerabilities in Microsoft’s SMBv1 server, Oracle’s WebLogic Server and Apache Struts, as well as by brute force attacking Microsoft SQL servers.
Dubbed MassMiner by its discoverers at AlienVault, the Monero-based miner specifically employs the NSA-linked EternalBlue exploit in order to spread via the Microsoft SMB protocol flaw (CVE-2017-0143), while using a short VisualBasic script to deliver itself via the same Apache Struts bug (CVE-2017-5638) that was leveraged in the Equifax data breach.
Meanwhile, it uses PowerShell code to download via an Oracle WebLogic flaw (CVE-2017-10271) that has been already leveraged in previous malicious cryptomining campaigns [1, 2], as reported by researchers at Trend Micro, FireEye, Morphus Labs and the SANS Technology Institute.
Alternatively, MassMiner can install itself via compromised Microsoft SQL Servers, adding a 1,000+-line script that disables several key security features.
“MassMiner spreads first within the local network, before attempting to propagate across the wider internet,” explains AlienVault in a May 1 blog post, adding that it found two online wallets belonging to the attackers.
The malware contains a fork of MassScan, a tool that quickly scans a lite of IP ranges for systems that are vulnerable to the above exploits. After the proper exploit is employed, the malware goes through several stages of downloaders and droppers, until delivering the final payload — the Monero miner known as XMRig.
AlienVault further reports that one analyzed MassMiner sample was found to also install Gh0st backdoor malware.