Threat Management, Threat Management, Malware

Malicious Monero miner spreads via arsenal of web server exploits

Researchers have discovered a versatile cryptominer worm that propagates itself by exploiting vulnerabilities in Microsoft's SMBv1 server, Oracle's WebLogic Server and Apache Struts, as well as by brute force attacking Microsoft SQL servers.

Dubbed MassMiner by its discoverers at AlienVault, the Monero-based miner specifically employs the NSA-linked EternalBlue exploit in order to spread via the Microsoft SMB protocol flaw (CVE-2017-0143), while using a short VisualBasic script to deliver itself via the same Apache Struts bug (CVE-2017-5638) that was leveraged in the Equifax data breach.

Meanwhile, it uses PowerShell code to download via an Oracle WebLogic flaw (CVE-2017-10271) that has been already leveraged in previous malicious cryptomining campaigns [12], as reported by researchers at Trend Micro, FireEye, Morphus Labs and the SANS Technology Institute.

Alternatively, MassMiner can install itself via compromised Microsoft SQL Servers, adding a 1,000+-line script that disables several key security features.

"MassMiner spreads first within the local network, before attempting to propagate across the wider internet," explains AlienVault in a May 1 blog post, adding that it found two online wallets belonging to the attackers.

The malware contains a fork of MassScan, a tool that quickly scans a lite of IP ranges for systems that are vulnerable to the above exploits. After the proper exploit is employed, the malware goes through several stages of downloaders and droppers, until delivering the final payload -- the Monero miner known as XMRig.

AlienVault further reports that one analyzed MassMiner sample was found to also install Gh0st backdoor malware.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.