Security researchers have discovered a new malware that installs a legitimate cryptocurrency mining program on poorly secured Windows and Linux servers.
Intezer’s Avigayil Mechtinger, who specializes in malware analysis, has been tracking the multi-platform worm that installs XMRig Miner to mine the Monero cryptocurrency since early December.
According to Mechtinger, the worm targets public facing MySQL, Tomcat, and Jenkins installations that have weak passwords.
Active and mutating
Explaining the workflow of the worm, Mechtinger writes that the worm scans for Tomcat, Jenkins, and MySQL services with open ports and then brute-forces its way inside. It then delivers a loader script on the compromised server that’ll drop and run the XMRig Miner.
An earlier version of the worm also attempted to exploit the latest vulnerability in WebLogic (CVE-2020-14882). During Mechtinger’s analysis, the attacker kept updating the worm on the Command and Control (C&C) server. This indicates “that it’s active and might be targeting additional weak configured services in future updates,” she writes.
In her report, Mechtinger notes that the worm’s code is “nearly identical” for both Windows and Linux targets, which to her “demonstrates that Linux threats are still flying under the radar for most security and detection platforms.”
Note that this latest worm follows the discovery of the PgMiner worm, which exploited a disputed vulnerability in PostgreSQL servers running on Linux to install a cryptocurrency miner.
Mechtinger also makes note of another trend: “In 2020, we saw a noticeable trend of Golang malware targeting different platforms, including Windows, Linux, Mac and Android. We assess with high confidence that this will continue in 2021.”