MassMiner and Kitty Malware Targeted Unpatched Web Servers

Delaware, USA – May 4, 2018 – The early May has marked by two campaigns infected web servers with cryptocurrency-mining malware. Researchers from Alien Vault discovered a new family of malware they dubbed MassMiner, which exploits several known vulnerabilities for distribution and propagation and can even conduct brute-force attacks on Microsoft SQL Servers. The infected system scans the Internet using the MassScan tool and then exploits CVE-2017-10271, CVE-2017-0143, CVE-2017-5638 vulnerabilities or conducts a brute-force attack with SQLck. After the compromise, MassMiner gains persistence, disables Windows Firewall, installs Gh0st backdoor and XMRig to mine Monero. This campaign can be connected with Smominru botnet, which brought its creators more than $2 million.

Another noteworthy coinminer is Kitty malware discovered by Incapsula researchers in early April that attacked web servers running the vBlletin 4.2.X CMS. At the moment, Kitty has switched to exploiting Drupalgeddon 2 vulnerability. After getting into the system, the malware installs a backdoor and creates a cronjob to download and run the script from a remote server every minute. Kitty also uses XMRig to mine cryptocurrency but it also looks for JavaScript files on the server and injects malicious code into them to mine Monero on web application visitors’ browsers.

Cryptocurrency miners continue to be one of the biggest threats in 2018. Malware and attacker techniques are rapidly evolving, so you need to monitor the release of updates and install them as quickly as possible. You can monitor the security of your servers with ArcSight and Web Application Security Framework. Also, you can leverage Brute Force Detection SIEM use case to detect attempts of password guessing to your resources.