New MassMiner malware exploits multiple vulnerabilities in web servers to mine cryptocurrency
A new cryptocurrency-mining malware dubbed "MassMiner" has been found targeting vulnerable and unpatched web servers around the world. The malware uses multiple different vulnerabilities and hacking tools in a single executable.
The Monero-based worm exploits vulnerabilities in Microsoft's SMBv1 server, Oracle's WebLogic Server and Apache Struts, according to Alien Vault researchers. The malware also attempts brute force attacks to infiltrate Microsoft SQL servers. After initially spreading within the targeted local network, MassMiner then attempts to propagate and spread across the wider internet. The exploits targeted by MassMiner include:
- The NSA's EternalBlue SMBv1 Exploit CVE-2017-0143 to install DoublePulsar and the Gh0st RAT backdoor
- Oracle's WebLogic Java application server exploit CVE-2017-10271
- The Apache Struts flaw CVE-2017-5638 targeted in the Equifax breach
- Brute force attacks to break into Microsoft SQL Servers using SQLck
According to researchers, MassMiner comes with a fork of the legitimate MassScan tool that is used to scan the Internet in less than six minutes. After parsing through a list of private and public IP ranges for fresh targets, the malware then runs exploits against vulnerable systems.
Regarding Microsoft SQL servers, MassMiner installs via a primary script followed by another 1000+ line SQL script that proceeds to disable multiple key security features and anti-virus protections. The malware is then downloaded to the compromised Weblogic server via a PowerShell script. Meanwhile, the malware is deployed to compromised Apache Struts servers via a short VisualBasic script before moving laterally across the system.
Once the targeted system is infected, the malware copies itself to Taskhost.exe and the Startup folder to establish persistence, schedules tasks to methodically deploy and execute its components, modifies the Access Control List (ACL) to gain access to certain system files and kills the Windows Firewall process. MassMiner then connects with its C2 server, a Monero wallet and mining pool before configuring itself to infect other machines on the same network.
AlienVault researchers identified two Monero wallets belonging to the attackers behind MassMiner carrying a total of 1200 Monero so far (approximately $295,000 according to current exchange rates). Researchers stated they were unable to identify if all the cryptocurrency collected came solely from this campaign.
MassMiner is not the first cryptomining malware to use multiple exploit methods to improve its chances of infecting a wider pool of victims. The recently discovered PyRoMine and ReddisWannaMine malware also used wide-ranging exploits and capabilities to infect vulnerable instances, highlighting the cryptominers are likely to become one of the 2018's most formidable threats.