Modular Cryptojacking malware uses worm abilities to spread

Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities to spread.

Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities by leveraging known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer.

The Monero cryptocurrency miner uses a worm module (Systemctl.exe) dubbed PsMiner written in the Go language which includes exploit modules used to hack into vulnerable servers.

“Recently, 360 Total Security team intercepted a new worm PsMiner written in Go, which uses CVE-2018-1273, CVE-2017-10271, CVE-2015-1427, CVE-2014-3120 and other high-risk vulnerabilities，and also the system weak password to spread, using the vulnerability intrusion set with ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP and SqlServer server machines, after the invasion using the victim machine to dig the Monroe currency.” reads the analysis published by the experts.

The PsMiner module also implements brute force capabilites, it can also use an additional brute force password cracking component.

Once the malware has successfully exploited a vulnerability to infect the server, it will execute a powershell command that downloads the WindowsUpdate.ps1 payload. The WindowsUpdate.ps1 payload is the master module that drops the Monero miner as part of the final infection stage.

The malware gain persistence by copying the malicious WindowsUpdate.ps1 script to the Windows Temp folder and creating an “Update service for Windows Service” scheduled task that execute the main malware module every 10 minutes.

The final stage payload is the open source Xmrig CPU miner that allows PSMiner to mine for Monero cryptocurrency.

“Inquiring about the relevant transaction records, we found that in just two weeks, the miner accumulated a total of about 0.88 Monroe coins” concludes the report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PSMiner, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]