A money-making machine: Monero-mining malware | WeLiveSecurity

In three months, the criminals behind this Monero-mining malware created a botnet and a profit equivalent to more than $ 63,000. Look how.

While people around the world remain vigilant and wonder when notorious cybercriminal groups like Lazarus or Telebots will strike again with some other destructive ransomware in the style of WannaCryptor or Petya, there are a wide variety of active operations that are less aggressive, very much more stealthy and often highly lucrative.

One of these operations has been active since at least May 2017. Attackers infect Windows web servers that do not have the necessary patches and install malicious software to mine virtual currency. Its objective is to use the computing power of the infected servers to do monero mining (XMR), one of the new alternative cryptocurrencies to Bitcoin.

The attackers modified legitimate open source software to mine Monero and exploited a known vulnerability in Microsoft IIS 6.0 to install it stealthily on servers without the corresponding patch. Over the course of three months, the criminals responsible for this campaign created a botnet of at least hundreds of infected machines and a profit in Monero equivalent to more than $ 63,000.

ESET customers are protected against any attempt to exploit this particular vulnerability, even if their machines do not have the patch installed, as is the case with EternalBlue, the exploit used to spread WannaCryptor.

Although it lags far behind Bitcoin in market capitalization, Monero has several characteristics that make it a very attractive cryptocurrency to mine with malware: its transactions. cannot be traced and its proof-of-work algorithm called CryptoNight allows to use the CPU or GPU of computers and common servers, as opposed to specialized mining hardware that is needed to mine bitcoins.

We can see that the exchange rate jumps from 40 USD / XMR to 150 USD / XMR in the last month, and then decreases to 100 USD / XMR.

Why did they choose to mine Monero and not Bitcoin?

Although it lags far behind Bitcoin in market capitalization, Monero has several characteristics that make it a very attractive cryptocurrency to mine with malware: its transactions. cannot be traced and its proof-of-work algorithm called CryptoNight allows to use the CPU or GPU of computers and common servers, as opposed to specialized mining hardware that is needed to mine bitcoins.

We can see that the exchange rate jumps from 40 USD / XMR to 150 USD / XMR in the last month, and then decreases to 100 USD / XMR.


Figure 1: Candlestick chart showing the dollar / Monero exchange rate in August 2017

The miner to extract the virtual currency

First seen in-the-wild on May 26, 2017, this malicious software was mined from a legitimate mining program open source to mine Monero from the CPU, which is called xmrig, version 0.8.2 (released May 2017).

When creating the mining malware, the criminals did not make any changes to the original code; they just added hard-coded command line arguments with the attacker’s wallet address and pool url, plus some commands to kill all previously running instances so they wouldn’t compete with the new instance . Making this modification may have taken cybercriminals a few minutes.

The following pictures show the modified code of the attacker and its correspondence with the source code.



Figure 2: Code comparison between the original version and the adapted version

Search and exploit vulnerabilities

Distributing the mining malware to victims’ computers is the most difficult part of this operation, but even here the attackers chose the easier alternative. There are two IP addresses that we identified as the source of the brute force scans for the vulnerability CVE-2017-7269, and both point to Amazon Web Services.

The indiscriminate nature of the scans was made evident by the number of accesses to IP addresses on the same subnets and because the victims were from different countries (mainly from the Middle East, Southeast Asia and North Africa).

Zhiniang Peng y Chen Wu They discovered the vulnerability exploited by attackers in March 2017. It is a vulnerability in the WebDAV service, which is part of Microsoft IIS version 6.0, the Windows Server 2003 R2 web server. When the vulnerable server processes a malicious HTTP request, a dangerous buffer overflow is triggered in the ScStoragePathFromUrl function.

In particular, a PROPFIND request specifically created for this purpose causes a buffer overflow due to double-size buffer reallocation by erroneously providing the Unicode character count instead of the byte count. Here You can read Javier M. Mellid’s analysis, where he details the mechanism.

This vulnerability is especially susceptible to attacks because it is located in a web server service, which in most cases is intended for be visible from the internet and therefore anyone can easily access and take advantage of it.

The payload is in the form of an alphanumeric string. The attackers replaced the string that runs the Windows calculator with one that downloads and executes their malicious payload. However, this does not require much sophistication, since there are online tools (such as alpha3) that help convert any shellcode to the desired string.

The shellcode is the expected download and run action (download dasHost.exe desde hxxt://postgre[.]tk / to% TEMP% folder):

Figure3 2

Figure 3: Shellcode downloaded by the exploit

According to our data, the first in-the-wild attack occurred just two days after its publication on March 26, 2017, and the vulnerability has continued to be exploited ever since.

This particular mining malware was first seen in-the-wild on May 26, 2017. Thereafter, it continued to appear in batches, weekly or less frequently, implying that the attacker scans the network for vulnerable machines.

Figure4 1

Figure 4. Graph of infection waves over time

The exploration is always carried out from an IP address, apparently it is a machine hosted on an Amazon server in the cloud, which the attacker will have rented to deploy his exploration software.


ESET detects malicious miner binaries as Win32 / CoinMiner.AMW and attempts to exploit vulnerabilities in the network layer such as webDAV/ExploidingCan. This is a real example of a package blocked by ESET:

Figure5 2

Figure 5: HTTP request made specifically with obfuscated shellcode

Microsoft canceled regular updates for Windows Server 2003 in July 2015 and did not release a patch for this vulnerability until June 2017, when several critical vulnerabilities were discovered on their old systems and attracted the attention of malware writers.

The good news is that despite the system being outdated and no longer receiving updates, Microsoft decided to patch these critical vulnerabilities in order to prevent large-scale destructive attacks similar to the WannaCry outbreak. However, keeping Windows Server 2003 up to date can be difficult, since automatic updates do not always work properly (for example, this blog post from Clint Boessen confirms our own doubts about the system upgrade).

Consequently, a large part of these systems they are still vulnerable to this day. We strongly recommend Windows Server 2003 users to install the patch KB3197835 and other critical patches as soon as possible (if automatic updates fail, manually download and install the security update).


Thanks to the publicly available mining pool statistics, we were able to see the combined hash rate of all victims, which represents the total computing power dedicated to the mining account. The value seems to consistently reach around 100 kH / s, with a peak of up to 160 kH / s at the end of August 2017, which we attribute to the campaigns launched on August 23 and August 30.

Overall, the infected machines were reaching approximately 5.5 XMR per day at the end of August and they reached over 420 XMR in total over the course of 3 months. According to the current exchange rate, which is 150 USD / XMR, these values ​​are equivalent to 825 USD daily and more than $ 63,000 in total, respectively.

The attackers were very active in late August, but no new infections were detected in September. Also, as the mining malware has no persistence mechanism, attackers have slowly started to lose already infected machines, and as of this writing, the total hash rate has dropped to 60 kH / s. This is not the first time that the attackers have taken a break, so we can expect them to start a new campaign in the near future.

Although we do not know the total number of victims, we can estimate it by the total hash rate produced by the attacker. According to reference parameters for CPUs, a high-end Intel i7 processor has a hash rate of around 0.3-0.4 kH / s. However, if we take into account that the exploit is limited to systems Windows Server 2003, which probably run on older hardware machines with slower CPUs, the average hash rate per victim will be much lower, and the total number of infected machines, much older.

Figure6 2

Figure 6. Attackers’ wallet statistics obtained by the mining pool


In this article we saw that minimal technical knowledge, very low operating costs, and little risk of being caught (In this case, misusing legitimate open source cryptocurrency mining software and taking advantage of old operating systems that do not have the necessary patches installed) may be enough for the attacker to secure a good result.

Sometimes it takes very little to gain a lot, and this is especially true in today’s world of cybersecurity, where even well-documented, known, and well-known vulnerabilities remain an issue. very effective opportunity for attackers due to the recklessness of many users.


Download site:
IPs the origins:

If you are interested in this topic, keep reading these articles:

Image Credit: © Markéta Fialová

We would like to say thanks to the writer of this short article for this outstanding content

A money-making machine: Monero-mining malware | WeLiveSecurity

Dispensary Business News