The GuardiCore security team discovered a new botnet, dubbed Prowli, which has infected over 40,000 servers, modems, and IoT devices.
MassMiner is a cryptocurrency-mining malware that has been observed to use worm like capabilities to spread through multiple exploits. First, to find a vulnerable system, MassMiner uses a reconnaissance tool called MassScan which can scan the internet in under six minutes. The malware looks for systems that still contain these three vulnerabilities; WebServer Exploit (CVE-2017-10271), EternalBlue (CVE-2017-0143), and Apache Struts Exploit (CVE-2017-5638). Once the malware infects a system, it begins the process of maintaining persistence. MassMiner will make copies of itself in the startup folder, and schedule tasks to execute its components. To avoid detection, a command is used to kill the Windows Firewall, making it able to talk to the C&C server. After the firewall is turned off, a configuration file is downloaded from the C&C server that specifies which server to get updates from, the executable to infect other machines with, and the wallet address to send the mined Monero cryptocurrency. The mining process is carried out by the malware utilizing the popular XMRig Monero miner. Additionally, the malware installs the Gh0st RAT that communicates with the domain rat.kingminer[.]club.
Reporting and Technical Details:
- May 2018: MassMiner Malware Targeting Web Servers. (Alien Vault)
Image Source: BleepingComputer
WinstarNssmMiner is a cryptocurrency mining malware that was detected targeting Windows computers by Qihoo 360 Total Security over 500 times in a span of 3 days. Once a system is infected with the malware, it is difficult to remove, and will ultimately crash your computer if it detects that you are trying to remove it. Once a victim is infected, if the malware detects that system is running Avast or Kaspersky antivirus products, it will automatically quit to avoid any confrontation. If neither of those antivirus solutions are detected, two svchost.exe system processes are created and injected with malicious code. The first svchost.exe is created to carry out the mining process using the XMRig Monero Miner using four different mining pools that are utilized based on the parameters of the system. The second svchost.exe process watches for other antivirus processes that it can shut down to avoid detection, and also watches to see if the victim tries to stop the mining process. If the victim does try to stop the XMRig mining process, the malware crashes the system and requires a restart.
Reporting and Technical Details:
- May 2018: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers. (Qihoo 360)
A cryptocurrency-mining malware campaign that uses the popular XMRig Monero Miner to carry out its mining process.
Malware that infects web servers and their site visitors in order to mine cryptocurrency.
A cryptocurrency-mining malware that spreads to Facebook users via a malicious link in a Facebook Messenger chat.
An Android cryptocurrency-mining malware that poses as a legitimate Google Play update app.
An Android malware variant that has a sophisticated modular structure and components for a variety of functions, including: mining the Monero cryptocurrency, downloading and installing additional apps, launching distributed denial-of-service attacks, and injecting ads in the notification area, among others.
MulDrop (Android.MulDrop.924) is an Android Trojan malware first observed in November 2016 by researchers at Dr. WEB. The Trojan is spread within apps that disguise themselves as legitimate games and other applications and is distributed by the Google Play and other application stores.