Modular Cryptojacking malware uses worm abilities to spread

March 13, 2019  By Pierluigi Paganini


Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities to spread.

Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities by leveraging known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer.

The Monero cryptocurrency miner uses a worm module (Systemctl.exe) dubbed PsMiner written in the Go language which includes exploit modules used to hack into vulnerable servers.

“Recently, 360 Total Security team intercepted a new worm PsMiner written in Go, which uses CVE-2018-1273, CVE-2017-10271, CVE-2015-1427, CVE-2014-3120 and other high-risk vulnerabilitiesand also the system weak password to spread, using the vulnerability intrusion set with ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP and SqlServer server machines, after the invasion using the victim machine to dig the Monroe currency.” reads the analysis published by the experts.

The PsMiner module also implements brute force capabilites, it can also use an additional brute force password cracking component.

Once the malware has successfully exploited a vulnerability to infect the server, it will execute a powershell command that downloads the WindowsUpdate.ps1 payload. The WindowsUpdate.ps1 payload is the master module that drops the Monero miner as part of the final infection stage.

PsMiner

The malware gain persistence by copying the malicious WindowsUpdate.ps1 script to the Windows Temp folder and creating an “Update service for Windows Service” scheduled task that execute the main malware module every 10 minutes.

The final stage payload is the open source Xmrig CPU miner that allows PSMiner to mine for Monero cryptocurrency.

“Inquiring about the relevant transaction records, we found that in just two weeks, the miner accumulated a total of about 0.88 Monroe coins” concludes the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PSMiner, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Russia attempts to prevent Russian citizens from using ProtonMail

 ProtonMail back after the Russian government has been attempting to prevent Russian citizens from sending messages to ProtonMail....