MassMiner is a cryptocurrency-mining malware that has been observed to use worm like capabilities to spread through multiple exploits. First, to find a vulnerable system, MassMiner uses a reconnaissance tool called MassScan which can scan the internet in under six minutes. The malware looks for systems that still contain these three vulnerabilities; WebServer Exploit (CVE-2017-10271), EternalBlue (CVE-2017-0143), and Apache Struts Exploit (CVE-2017-5638). Once the malware infects a system, it begins the process of maintaining persistence. MassMiner will make copies of itself in the startup folder, and schedule tasks to execute its components. To avoid detection, a command is used to kill the Windows Firewall, making it able to talk to the C&C server. After the firewall is turned off, a configuration file is downloaded from the C&C server that specifies which server to get updates from, the executable to infect other machines with, and the wallet address to send the mined Monero cryptocurrency. The mining process is carried out by the malware utilizing the popular XMRig Monero miner.  Additionally, the malware installs the Gh0st RAT that communicates with the domain rat.kingminer[.]club.

Reporting and Technical Details:

  • May 2018: MassMiner Malware Targeting Web Servers. (Alien Vault)

Image Source: BleepingComputer