RubyMiner malware exploits Windows and Linux for cryptocurrency mining

Outdated Windows and Linux servers are targeted by RubyMiner malware

Window and Linux servers are targeted by RubyMiner

Recently, cybersecurity experts have spotted a new malware mainly targeting out-of-date web servers — RubyMiner. It particularly aims to exploit Linux and Windows servers to mine a rising Monero cryptocurrency. According to the analysts, the attack has started on January 9, 2018[1].

There is still not enough information to confirm how much profit did the criminals generate. However, experts have analyzed the wallet address which was found on the XMRig miner installed by the RubyMiner malware and estimate the earnings to reach approximately $540. Additionally, more than 700 servers were compromised[2].

It is believed that the criminals might have gained more profits if they would have used more recent vulnerabilities on the web servers. Although, the attackers use a Pof tool to search and detect which servers possess outdated software. Following that, they exploit the identified vulnerabilities to infuse RubyMiner malware.

Experts say that have detected the following exploits on the Windows and Linux servers' attack:

  • CVE-2013-015;
  • CVE-2013-4878;
  • CVE-2012-1823;
  • CVE-2012-2335;
  • CVE-2012-2311;
  • CVE-2012-2336;
  • CVE-2005-267.

Criminals use a modified version of the legitimate XMRing Monero-mining software

It seems that criminals were focused on generating profits rather than operating secretly. They have chosen to use an open-source Monero miner[3] called XMRig. Usually, the author of the code takes 5% of the earnings. However, the attackers managed to alter it for their own benefit:

In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. However, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.

Additionally, the cybercriminals programmed the malware not to run the mining process hourly, but download the whole payload every hour. According to the experts, it is a great way to protect themselves in case they will be detected since it might serve as a kill switch[4]:

If the attacker would like to end the process on the infected machines, all that needs to be done is modify the robots.txt file on the compromised web server to be inactive. Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners.

Monero miners are on the rise

Unfortunately, this is not the first time when criminals decide to stealthily infuse Monero-mining malware on the websites or servers. This malicious program has also attacked Transneft, also known as a Russian oil pipeline operator. Even though the malware was deleted from the companies' servers immediately, similar attacks continued to reappear causing more damage.

Later, Monero Miner was found on the official Blackberry site. The website was hacked and compromised to stealthily mine cryptocurrency when it is opened[5]. The criminals misused a legitimate Coinhive mining software, and their account was permanently suspended. However, it seems that cryptocurrency trends might lead to further cyber attacks in the future.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions