Delaware, USA – January 18, 2018 – An unknown hacker group compromises servers with outdated software to infect them with RubyMiner malware. To find such web servers, they use the p0f utility: they are interested in both Linux and Windows servers vulnerable to exploits discovered in 2012 and 2013. Researchers from Checkpoint claim that at the time of revealing the information about this attack, about 700 servers around the world were already infected with this malware. After infection, RubyMiner adds a new cron job to download and run a script once per hour that will download and install “modified” legitimate Monero cryptocurrency miner XMRig. It is worth noting that the modification of XMRig affected only those 5% of the revenue from mining, which usually sent to the account of cryptocurrency miner’s author – the attackers removed this part of code from XMRig. Since a malicious script is downloaded and executed every hour, attackers can modify it at any time to either stop the mining of cryptocurrency or change the final payload.
Despite the fact that the cryptocurrencies are experiencing a recession since the beginning of the year, adversaries continue to attack web servers in order to use their CPU for Monero mining. To monitor the security of your servers, you can use Web Application Security Framework use case, which notifies SIEM administrators about breach attempts and detects malicious activity, allowing them to timely respond to the cyberattacks.