Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities to spread.
Security experts at 360 Total Security have discovered a new modular cryptocurrency malware that implements worm capabilities by leveraging known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer.
The Monero cryptocurrency miner uses a worm module (Systemctl.exe) dubbed PsMiner written in the Go language which includes exploit modules used to hack into vulnerable servers.
“Recently, 360 Total Security team intercepted a new worm PsMiner written in Go, which uses CVE-2018-1273, CVE-2017-10271, CVE-2015-1427, CVE-2014-3120 and other high-risk vulnerabilities，and also the system weak password to spread, using the vulnerability intrusion set with ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP and SqlServer server machines, after the invasion using the victim machine to dig the Monroe currency.” reads the analysis published by the experts.
The PsMiner module also implements brute force capabilites, it can also use an additional brute force password cracking component.
Once the malware has successfully exploited a vulnerability to infect the server, it will execute a powershell command that downloads the WindowsUpdate.ps1 payload. The WindowsUpdate.ps1 payload is the master module that drops the Monero miner as part of the final infection stage.
The malware gain persistence by copying the malicious WindowsUpdate.ps1 script to the Windows Temp folder and creating an “Update service for Windows Service” scheduled task that execute the main malware module every 10 minutes.
The final stage payload is the open source Xmrig CPU miner that allows PSMiner to mine for Monero cryptocurrency.
“Inquiring about the relevant transaction records, we found that in just two weeks, the miner accumulated a total of about 0.88 Monroe coins” concludes the report.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.