Employees of malware analysis company Intezer have, according to an Blog posts discovered a new worm that attacks Linux and Windows servers in order to use their computing power to mine the cryptocurrency Monero. As a rule, Monero, unlike many other cryptocurrencies, is not calculated with special Asics, but conventional GPUs and CPUs. The hijacked x86 servers therefore achieve a high yield.
According to Intezer, the worm is centrally distributed and controlled via a command-and-control server. Regular Updates on the server suggest that the mining network is administered by an active hacking group.
MySQL, Tomcat and Jenkins as attack vectors
The worm spreads via publicly visible interfaces of services such as MySQLTomcat and Jenkins (ports such as 8080, 7001 and 3306). The worm attempts to guess weak passwords for these services via a brute force attack. Initially, a dictionary approach is used, in which frequently used passwords are tested in a prioritized manner.
Once the malware has discovered a password, it distributes a dropper script via bash or powershell that installs an MXRig miner. In addition, the worm then attempts to independent on the infected server's network in order to tap further resources for cryptomining. Currently, the malware is not detected by antivirus software and is therefore very dangerous, according to Intezer.
Therefore, only strong passwords and, if possible, two-factor authentication can provide protection. The security company also recommends switching off services that are not being used and restricting the accessibility of required services from outside. In addition, according to Intezer, software that is kept up to date can often prevent infection with malware.
