Security firm ESET has sounded the alarm about a malware threat that has been very profitable for threat actors since around May 2017: mining cryptocurrency.

Exploiting Vulnerable Servers

According to We Live Security, a legitimate open source Monero central processing unit (CPU) miner called xmrig was released in May. Threat actors then copied the code and made very few changes to develop the malware. They added some hardcoded command-line arguments representing the attacker’s wallet address as well as the mining pool URL. The fraudsters also shut down any other xmrig that may have been running to eliminate competition for CPU resources.

The threat actors then scanned the web for unpatched servers vulnerable to CVE-2017-7269. This vulnerability enables attackers to cause a buffer overflow in the WebDAV service that is part of Microsoft IIS version 6.0, the web server in Windows Server 2003 R2.

Microsoft ceased supporting ISS in 2015, but an update designed to stop WannaCry outbreaks was made available in June 2017 for older systems. However, it is impossible to ensure that all users will patch the vulnerable servers because the automatic update mechanism may not always work smoothly.

The payload in the malware is an alphanumeric string that simply replaces the one that came with xmrig. This string executes the miner rather than the calculator that is launched in the legitimate version.

Attacks Coming in Waves

As noted by SecurityWeek, attacks on these servers seem to come in waves, possibly indicating that the threat actors are regularly scanning for vulnerable servers. These scans have been linked to two IP addresses located in an Amazon cloud.

At the end of August, the attack was still active, but things slowed down greatly in the beginning of September. No new infections have been observed since the beginning of the month. There is no persistence method in the code and the cryptocurrency miner botnet has been gradually losing worker machines.

Patching the vulnerable servers is the obvious mitigation here, but due to the age of the systems, users may not be able to or know how.