Monero Miner Targets Linux and Windows Servers

Security researchers with Check Point and Certego discovered a new cryptocurrency miner, dubbed RubyMiner, currently targeting vulnerable Linux and Windows servers running unpatched and outdated software. RubyMiner is distributed via XMRig, an open source Monero miner, which employs PHP, Microsoft IIS, and Ruby on Rails attacks. The malicious payload is concealed within the file robots.txt, which is a file designed to provide direction to web robots through a process known as Robots Exclusion Protocol. Approximately 700 servers have been impacted by RubyMiner to date, generating an estimated profit of $540. The NJCCIC recommends users and administrators of Linux and Windows Servers review the reports by Check Point and Certego for additional information and IoCs. We also recommend keeping device hardware and software updated and applying patches as soon as possible after they are released.