Ronald Hudson - Fotolia
A new type of cryptocurrency mining malware called MassMiner was recently discovered by security researchers to be infecting systems across the web. How does this malware infect systems?
Similar to ransomware attacks, cryptocurrency mining is a way for criminals to monetize their attacks. While cryptocurrency mining usually causes less collateral damage than ransomware, mining malware may be more difficult to detect.
Once attackers have infected a system, they can use the compromised system for a number of different things, such as distributed denial-of-service attacks and sending spam. Attackers sometimes have scripts or patterns they follow where each step is worked out. These scripts may also include exploits that can maximize the return on investment of an attack.
A new type of cryptocurrency mining malware called MassMiner was recently discovered by researchers from AlienVault Inc. MassMiner is used to mine Monero cryptocurrency, and the malware is configured with the Monero wallet and mining pool to which it sends mined coins.
In addition to the cryptocurrency mining function, the MassMiner malware also includes worm functionality and a version of Masscan, a high-speed IP scanner, which scans the local network before scanning the internet to look for vulnerable devices to infect.
MassMiner targets Windows servers for WebLogic, exposed server message block servers, Apache Struts and SQL Server. When one of these systems is found, MassMiner uses well-known -- and patched -- exploits to gain access to the system. The exception is SQL Server, where MassMiner attempts to brute force a password for access.
Once MassMiner gains access to a system, it establishes persistence by disabling security functionality. Then the malware downloads the configuration, including the command-and-control server.
Once the infection is complete, MassMiner starts using the infected system to mine Monero, as well as to scan for other systems to infect. In order to mitigate this attack, AlienVault released indicators of compromise to help determine if your systems have been infected.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.