Hackers serve up double cryptocurrency miners by exploiting an Oracle server vulnerability
The cybercriminals used the flaw to deliver two Monero miner payloads, both of which can start up daily and automatically.
Cybercriminals are increasingly launching attacks focussed on obtaining cryptocurrencies. The recent rapid rise in value of cryptocurrencies such as Bitcoin and Ethereum has not only led scores of people to invest in digital currencies but also altered the threat landscape in cybercrime. Security researchers have uncovered a new campaign, which involves hackers exploiting an Oracle server vulnerability to spread two cryptocurrency miners simultaneously.
The Oracle WebLogic WLS-WSAT flaw (CVE-2017-10271), which has already been patched, allows hackers to deliver two cryptominers – a 64-bit variant and a 32-bit variant of the XMRig Monero miner. According to security researchers at Trend Micro, who discovered the new campaign, the cryptominers are deployed depending on the targeted Windows operating systems (OS) compatibility with the malware variants.
"Our analysis of the latest payload shows that the architecture of Windows OS plays a part in deciding which coin miner will run," Trend Micro researchers said in a blog. "The first Monero miner is a 64-bit variant which will execute on a corresponding 64-bit Windows device. But, if the device is running a 32-bit Windows version then the second coin miner will run instead."
Coin-mining malware variants generally attempt to infect as many devices as possible, given that it takes immense computing capabilities to mine for cryptocurrencies. In this case, with two malware variants, both of which are capable of starting up daily and automatically, the researchers believe that "the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining".
One of the miners spread by the new campaign is also capable of maximising its capabilities to harvest computing power but shutting off any other malware already existing in the system. The malware can also make the infected system function really slowly.
"The user may not attribute the issue to a compromise at first since the effects can be caused by other factors. But, as we mentioned, cryptocurrency miners have been on the rise since mid-2017, and users should expect more malware variants that aim to hijack their system resources. Cybercriminals are taking every opportunity and experimenting with new ways to deliver mining malware to users," Trend Micro researchers said.
Security experts recommend that users regularly patch and update their software to avoid falling victim to cryptocurrency malware.