Cyber Crooks 'Malwarerize' Genuine Cryptocurrency Miner to Harvest Monero Units

To mine cryptocurrencies, PC users need to install the proper mining software first and let this software take up a considerable amount of CPU and GPU power to get the process going. In the end, the mined quantity is worth a certain figure. What if someone else stole it?

Eset researchers have recently come across a piece of malware which infects unpatched Windows web servers and utilizes their power to mine Monero (XMR) cryptocurrency, a relatively new Bitcoin alternative. In fact, the malware in questions is the genuine Monero mining software … with a minor tweak, which allows the crooks to bring in the harvest and channel it to their own wallet address hardcoded in the original source code of xmrig, Monero's CPU miner. The malicious actions are all possible thanks to a vulnerability found in unpatched Windows web servers.

Dubbed CVE-2017-7269, the vulnerability in question is present in the WebDAV services of Microsoft's IIS 6.0 in Windows Server 2003 R2 and gives attackers the opportunity for remote code execution. First unveiled in March, this flaw causes buffer overflow whenever the 2003 R2 server executes malicious code, which in turn facilitates the payload's entry via an alphanumeric string. The latter replaces the string responsible for executing the Windows mining calculator and executes the very payload instead.

To date, the 'malwarerized' Monero software is believed to have infected 100's of unpatched Windows 2003 R2 servers, mining a total of $63 thousand worth of the cryptocurrency. The attackers reportedly use an Amazon cloud-based IP address to perform regular scans for vulnerable systems. Considering that Microsoft stopped issuing regular updates for Windows Server 2003 two years ago, the malware actors are obviously hunting for systems. The systems in question have not been patched with the 2017 emergency update published by Microsoft in response to the global WannaCry pandemic and still use ancient hardware which prevents them from upgrading to a more recent Windows Server generation. This has two implications.

On the one hand, such systems are easily susceptible due to the lack of smooth automatic updating processes. On the other hand, the older and, therefore, considerably weaker hardware, is by far not sufficient enough to maintain a hash rate, i.e., the speed of cryptocurrency mining, commensurate with what modern-day hardware is capable of.

Although no mining activity has occurred since late-August, ESET's researchers cling to the idea that a new mining wave is just around the corner. That is why all administrators running Windows Server 2003 are strongly advised to install manually all security patches and critical updates to mitigate the threat.