MassMiner cryptocurrency worm targets unpatched enterprise servers

MassMiner CPU miner exploits multiple vulnerabilities to hijack web servers

MassMiner worm exploits vulnerabilities

MassMiner – a cryptocurrency mining malware which is exploiting EternalBlue (CVE-2017-0143),[1] Apache Struts (CVE-2017-5638),[2] and Oracle WebServer (CVE-2017-10271)[3] vulnerabilities to hijack local and enterprise web servers. Initiating brute force attacks, the miner takes control over Microsoft SQL Servers and starts mining Monero cryptocurrency by consuming an excessive amount of system's CPU and GPU resources.

AlienVault,[4] the developer of commercial and open source solutions to manage cyber attacks, and the largest crowd-sourced computer-security platform, was first to detect and describe the MassMiner malware in details. According to the company, MassMiner is not a single piece of malware. It's the whole family of cyber threats connected to one unit, which can get into the tops of the most successful cyber threats of 2018.

Cryptocurrency miner malware on the rise

The unfading popularity of cryptocurrencies induces criminals to take advantage of less experienced PC users to connect their PCs to mining bots without their knowledge. According to experts, cryptocurrency miners are not going to retreat, at least not in 2018. Currently, one Bitcoin is equal to 9216 USD, while one coin of Monero is equal to 246 USD. The peak of Bitcoin was registered in 2017 reaching 20,000 USD for one coin.

There are many speculations on how the value of Bitcoin and other cryptocurrencies may change, but the prognosis is one-sided. Cryptocurrency experts expect steady growth. According to Kay Van-Petersen, an analyst at Saxo Bank, Bitcoin could hit $100,000 in 2018,[5] as well as rival digital coins could also outperform. The value of Monero, for instance, is expected to double and exceed 600 USD at the end of 2018.

Thus, as long as crypto bubble won't blow, malware developers will keep inventing ways to attack ransom PC's and steal their CPU to earn at least the smallest amount of Bitcoin fraction.

MassMiner – not a typical cryptocurrency miner

The reference to MassMiner as being atypical cryptocurrency miner is, first of all, predetermined by exclusive distribution strategy. Yes, the exploitation of system's vulnerabilities is not as a novelty. However, we don't know much malware that would be capable of exploiting the whole list of vulnerabilities. AlienVault researchers indicated the following weaknesses that the MassMiner miner is capable of utilizing:

  • CVE-2017-0143, an EternalBlue vulnerability in Windows SMB service. It has been used by the infamous WannaCry[6] and NotPetya[7] ;
  • CVE-2017-5638, Apache Struts web framework vulnerability that previously allowed Equifax breach;
  • CVE-2017-10271, Oracle’s WebLogic Java application server vulnerability.

Apart from being filled with the above-listed exploits, MassMiner contains an inbuilt MassScan TPC port scanner.[8] It allows the malware to scan, detect, and analyze all IPv4 addresses available on the Internet in less than file minutes.

The technical features of the MassMiner malware are alerting. It can be misused by crooks not only for Monero mining but widespread attacks, such as WannaCry. Therefore, it's essential to patch security vulnerabilities and keep the system up-to-date.

Once installed, this particular worm sets multiple processes and enables a mechanism to evade detection. If it managed to get inside a local server, it starts looking for related servers and their vulnerabilities. In case of exposure, it can try to affect them using software stacks, Gh0st backdoor or a .exe file downloaded from the command-and-control server.

Criminals target enterprise servers

The AlienVault research team claims that the MassMiner crypto mining worm is oriented to enterprise servers. The reason is simple – internal networks in corporate networks are unpatched up until now.

Despite the fact that patch updates for CVE-2017-0143, CVE-2017-5638, and CVE-2017-10271 vulnerabilities have been released more than a half of the year ago, many managers of corporate networks fail to apply them. There are two possible explanations for that – companies are either not afraid of cyber threats or have limited IT resources.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions