A brief understanding of the XMRig Monero miner malware

• XMRig miner exploits vulnerable Windows, IIS, and Linux servers to mine Monero.
• Attackers hit over 1,400 Apache Solr servers by exploiting a vulnerability in order to install the XMRig miner malware.

XMRig is an open sourced Monero CPU Miner that was released in May 2017. Later, it was modified by threat actors to mine Monero cryptocurrency. This miner exploits vulnerable Windows, IIS, and Linux servers to mine Monero.

Large scale cryptomining campaign

Researchers observed a large scale crypto mining campaign using XMRig miner that impacted almost 15 million people across the globe. This campaign targeted southeast Asia, northern Africa, and South America. In this campaign, attackers used VBS files and online URL shortening services to install and run the XMRig payload.

XMRig targets Jenkins, Oracle, and Apache servers

The XMRig miner malware has changed its focus from targeting Windows and Linus servers to Jenkins CI servers. Similarly, Oracle WebLogic WLS-WSAT vulnerability was exploited to distribute two versions of XMRig malware (64-bit and 32-bit variants).

Attackers also targeted over 1,400 Apache Solr servers by exploiting a vulnerability in order to install the XMRig miner malware.

In March 2018, XMRig malware targeted Linux servers exploiting the PHP Weathermap vulnerability.

Attackers hide XMRig in Adobe Flash updates

Researchers uncovered a fake Adobe Flash updater that installs XMRig miner malware into victims machines. Researchers observed almost 13 instances of malicious files with the “AdobeFlashPlayer” prefix hosted on non-Adobe spoofed servers.

KingMiner attacks

KingMiner malware targeted IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. Once compromised, it scans and detects the CPU architecture of the machine and downloads the XMRig payload, which is designed to hijack the full power of CPUs.

XMRig miner was actually designed to use 75 percent of CPU capacity, however, due to coding errors, it ended up utilizing 100 percent of the CPU.

Mac malware includes XMrig and EmPyre

In December 2018, a new Mac malware was uncovered that included two open source tools - XMRig and EmPyre. This malware was distributed via an Adobe application, namely Adobe Zii.

Latest version of NRSMiner uses XMRig

In January 2019, an updated version of NRSMiner cryptocurrency mining malware was observed targeting vulnerable systems. This latest version was propagated via the EternalBlue exploit kit. Additionally, it used the XMRig Monero CPU miner to generate units of the Monero cryptocurrency.

Meanwhile, attackers are exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) to distribute XMRig miner malware and GnadCrab ransomware.