Mal/Miner-C mining malware leverages NAS devices to spread itself

Pierluigi Paganini September 12, 2016

Experts from Sophos discovered Mal/Miner-C, a malware designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.

Malware researchers from security firm Sophos have analyzed a new strain of malware detected as Mal/Miner-C that was designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency.

The experts discovered that the new malware leverages network-attached storage (NAS) devices as attack vector.

The authors of Mal/Miner-C sued the NSIS (Nullsoft Scriptable Install System) scripting language to develop it.

One of the most interesting features of the Mal/Miner-C malware is its ability to abuse FTP servers in an effort to spread itself.

Some samples analyzed by the researcher included a module, called tftp.exe, which randomly generates IP addresses and attempts to connect to them using a predefined list of login credentials.

If the threat is able to successfully connect to an FTP service, then it copies itself to that server and modifies the .html and .php files stored on it by injecting the code that generates an iframe referencing the malicious code uploaded to the server.

“If the embedded credentials are able to successfully connect to an FTP service, it tries to copy itself to the server and modify an existing web-related file with the extension .htm or .php in an attempt to further infect visitors to the host system.” reads the analysis from Sophos

“If a file with this extension is found, the threat injects source code that creates an iFrame referencing the files or Photo.scr. “

When an unaware user visits a website compromised by the malware, he is presented with a “save file” dialog that serves the malicious files, then is the victim downloads and open them will infect its PC with Mal/Miner-C.

According to Sophos, more than 1.7 million infections were observed in the first half of 2016, but they were associated to only 3,150 unique IP addresses because the malware copies itself to every folder on a compromised FTP server.

The experts focused their investigation on the search for vulnerable devices on the internet. A first scan with the Censys search engine identified just under 3 million FTP servers worldwide.

Then the researchers tried to connect anonymously to the FTP services with a scanning script in order to find “Anonymous FTPs with write access”

The results were as follows:

  • IP numbers of FTP servers on original list: 2,932,833.
  • FTP servers active during the test: 2,137,571 Active servers allowing anonymous remote access: 207,110.
  • Active servers where write access was enabled: 7,263.
  • Servers contaminated with Mal/Miner-C: 5,137.

Mal/Miner-C -infections

The malware targeted various types of FTP servers, but Sophos experts noticed it mostly targeted Seagate’s Central NAS product. This specific NAS provides a public folder that cannot be deleted or deactivated, the attackers use to upload the malware in the folder in hopes that they will be executed by users once they are discovered.

Be careful, the malware is not able to infect the device but exploits to infect other to spread in the wild.

The experts also analyzed the wallets used by the cybercriminals behind the campaign and determined that infected machines mined roughly $86,000 in Monero.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mal/Miner-C,  malware)

you might also like

leave a comment