Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities to spread.
Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities by leveraging known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer.
The Monero cryptocurrency miner uses a worm module (Systemctl.exe) dubbed PsMiner written in the Go language which includes exploit modules used to hack into vulnerable servers.
“Recently, 360 Total Security team intercepted a new worm PsMiner written in Go, which uses CVE-2018-1273, CVE-2017-10271, CVE-2015-1427, CVE-2014-3120 and other high-risk vulnerabilities,and also the system weak password to spread, using the vulnerability intrusion set with ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP and SqlServer server machines, after the invasion using the victim machine to dig the Monroe currency.” reads the analysis published by the experts.
The PsMiner module also implements brute force capabilites, it can also use an additional brute force password cracking component.
Once the malware has successfully exploited a vulnerability to infect the server, it will execute a powershell command that downloads the WindowsUpdate.ps1 payload. The WindowsUpdate.ps1 payload is the master module that drops the Monero miner as part of the final infection stage.
The malware gain persistence by copying the malicious WindowsUpdate.ps1 script to the Windows Temp folder and creating an “Update service for Windows Service” scheduled task that execute the main malware module every 10 minutes.
The final stage payload is the open source Xmrig CPU miner that allows PSMiner to mine for Monero cryptocurrency.
“Inquiring about the relevant transaction records, we found that in just two weeks, the miner accumulated a total of about 0.88 Monroe coins” concludes the report.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
March 13, 2019
