Monero-mining malware exploits Microsoft vulnerability
ESET urges Windows Server 2003 users to apply security updates to avoid
falling victim to the latest cryptocurrency miner attack
falling victim to the latest cryptocurrency miner attack
ESET, a leading global cyber security company, has discovered a new threat
whereby attackers infected vulnerable Windows web servers with a malicious
cryptocurrency miner in order to mine Monero – a newer cryptocurrency
alternative to Bitcoin. Microsoft has released the update, but many servers
remain outdated to this day.
whereby attackers infected vulnerable Windows web servers with a malicious
cryptocurrency miner in order to mine Monero – a newer cryptocurrency
alternative to Bitcoin. Microsoft has released the update, but many servers
remain outdated to this day.
To achieve this, cyber-criminals modified legitimate, open source Monero
mining software and exploited a known vulnerability in Microsoft IIS 6.0 to
covertly install the miner on unpatched servers. When creating the malicious
mining software, the criminals did not apply any changes to the original
open source codebase, apart from adding hardcoded command line arguments of the
attacker’s wallet address and the mining pool URL. This, ESET states, could
have taken the cyber-criminals just minutes to complete.
mining software and exploited a known vulnerability in Microsoft IIS 6.0 to
covertly install the miner on unpatched servers. When creating the malicious
mining software, the criminals did not apply any changes to the original
open source codebase, apart from adding hardcoded command line arguments of the
attacker’s wallet address and the mining pool URL. This, ESET states, could
have taken the cyber-criminals just minutes to complete.
Money-making malware
Malware experts at ESET have reason to believe this operation has been
happening since May 2017. During this time, the cyber-criminals behind the
campaign have created a botnet of hundreds of infected machines and made over
$63,000 worth of Monero.
happening since May 2017. During this time, the cyber-criminals behind the
campaign have created a botnet of hundreds of infected machines and made over
$63,000 worth of Monero.
“While far behind Bitcoin in market capitalization, there are a number
of reasons why attackers are mining for Monero,” said Peter Kálnai, ESET Malware Researcher. “Features such as
untraceable transactions and a proof of work algorithm called CryptoNight,
which favours computer or server central processing units, make the
cryptocurrency an attractive alternative for cybercriminals. Bitcoin mining, in
comparison, requires specialised mining hardware.”
of reasons why attackers are mining for Monero,” said Peter Kálnai, ESET Malware Researcher. “Features such as
untraceable transactions and a proof of work algorithm called CryptoNight,
which favours computer or server central processing units, make the
cryptocurrency an attractive alternative for cybercriminals. Bitcoin mining, in
comparison, requires specialised mining hardware.”
Exploiting vulnerabilities
This type of malicious activity is an example of how minimal skill and
low operative costs can be sufficient for causing a significant outcome. In
this case, it has been the misuse of legitimate open-source
cryptocurrency mining software and the targeting of old systems likely to be
left unpatched.
low operative costs can be sufficient for causing a significant outcome. In
this case, it has been the misuse of legitimate open-source
cryptocurrency mining software and the targeting of old systems likely to be
left unpatched.
In July 2015, Microsoft ended its regular update support for Windows
Server 2003 and did not release a patch for this vulnerability until June of
this year, when several critical vulnerabilities for its older systems were
discovered by malware authors.
Server 2003 and did not release a patch for this vulnerability until June of
this year, when several critical vulnerabilities for its older systems were
discovered by malware authors.
Despite the end-of-life status of the system, Microsoft did patch these
critical vulnerabilities in order to avoid large-attacks such as WannaCry
occurring once again. However, it has been well-documented that the automatic updates do not always work smoothly and this
could impact the ability to keep Windows Server 2003 up-to-date.
critical vulnerabilities in order to avoid large-attacks such as WannaCry
occurring once again. However, it has been well-documented that the automatic updates do not always work smoothly and this
could impact the ability to keep Windows Server 2003 up-to-date.
“As a significant number of systems are still vulnerable, users of
Windows Server 2003 are strongly advised to apply the security update, KB3197835, and other critical patches as soon as possible,” said Michal Poslušný, ESET Malware Analyst. “If automatic updates fail, we encourage users to
download and install the security update manually to avoid falling victim to
malicious attacks.”
Windows Server 2003 are strongly advised to apply the security update, KB3197835, and other critical patches as soon as possible,” said Michal Poslušný, ESET Malware Analyst. “If automatic updates fail, we encourage users to
download and install the security update manually to avoid falling victim to
malicious attacks.”
To read more, please visit WeLiveSecurity.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
