Monero miners are one of the most popular cryptocurrency-related malware that are being distributed in attack campaigns in the last few months. The hacker strategies seem to include them in a lot of different types of infiltration attempts. However the latest attack campaigns seem to focus on a new type of tactic by using double Monero miners set against computer networks worldwide.
Attack Campaigns with Double Monero Miners Spotted
Computer security researchers and analysts are constantly receiving reports for ongoing attack campaigns that feature cryptocurrency miners as primary or secondary payloads. They have become popular as only a small script needs to be loaded into memory in order to start the complex computations. The miners run special software that utilize the available hardware resources in order to generate cryptocurrency which is forwarded to the criminal operators. The majority of the threats mine for the most popular cryptocurrencies: Bitcoin, Monero and Ethereum.
At the moment a new type of attack campaigns is being set against computer networks worldwide. The criminals are primarily targeting database servers using a discovered vulnerability. The identified issue is CVE-2017-10271 which is described in the advisotry as the following:
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The hackers use exploit code that is often used with automated hacker toolkits and platforms. Using automated commands the criminals can target thousands of networks in a manner of seconds. As a result of the vulnerability exploits the criminals can gain network access to the servers as well as the ability to take over control of the systems. The interesting fact is that while traditional attacks typically focus on overtaking control of the impacted servers this one infects them with double Monero miners.
The Double Monero Miners Payload and Its Significance
The tactic of using double Monero miners is novel as it is used in a non-traditional way. After the machines have been impacted by the exploit code two separate miner software are instituted on the victim devices. The first one is a 64-bit version which is the default option and the backup variant is a 32-bit compiled executable. If the first file fails to start then the attackers instruct the malware to start the backup option. By analyzing the campaigns the security experts uncovered that different versions of the exploit code are being spread — there are separate test and final versions. This means that the individual hacker or criminal collective behind the attacks are actively involved in its ongoing development.
Monero Miners Execution Pattern
The infections begin after the vulnerability check has passed. The malware script downloads three files related to the mining operations to the compromised machines:
- Javaupd.exe — A miner instance that is disguised as an update to the Java runtime environment (JRE) which is often installed by computer users in order to run Java-based applications. By impersonating the popular app the virus makes discovery more difficult as in some cases the service may use more hardware resources during its execution.
- Startup.cmd — This is the auto-start module which is responsible for the persistent state of execution. It is used to automatically start the malware code and prevent other applications from interfering with the miners.
- 3.exe — A secondary malicious instance.
The auto-start component associated with the Monero miners is placed onto the system in the Startup folder. After that it is executed and starts a Powershell command that creates two scheduled tasks:
- The first task downloads the latest versions of the Monero miner instances from a hacker-controlled site. The string showcases that the task is named as “Oracle Java Update” and is set to execute every 80 minutes in order to negate any possible network issues.
- The second task is named “Oracle Java” and is set to execute daily and check whether the first task has successfully completed.
After the tasks have been complete the control script launches the appropriate script by running the secondary payload (3.exe). It checks if the system is capable to run the 64-bit or 32-bit version of the code and then downloads and runs the relevant file. A new file is downloaded which is called LogonUI.exe which is registered as a Windows service and called “Microsoft Telemetry”. The appropriate version (32 or 64-bit) is loaded during this phase of the malware initiation.
Consequences of the Double Monero Miners
The security experts note that the installed Monero miners can have a very powerful impact onto the victim computer’s performance. As two separate instances are installed onto the hosts the victims may not be able to remove all of them in an efficient way. We remind our readers that the persistent state of installation can also be related to changes in the Windows registry and operating system configuration options. Such alterations can make it very difficult or even impossible to remove the infections using manual methods. The security analysts note that the Monero miners features an information gathering module that has the ability to scan the infected hosts for other malware as well.
As the attack campaigns are still ongoing and the criminals identity is still unknown. We suspect that updated versions may bring additional functionality, cause even more dangerous system changes and may also be used as payload delivery mechanisms.
We remind our readers that they can protect themselves from danger by utilizing a quality anti-spyware solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: