What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency
"In 2018, as in 2017, we continue to see blitz campaigns, leveraging unpatched vulnerabilities in many networks," researchers said.
Security researchers have found a new strain of malware targeting Linux and Windows servers running outdated software to secretly mine cryptocurrency. According to Check Point researchers, a hacker has been using RubyMiner to plant the cryptocurrency miner XMrig on vulnerable systems to hijack users' CPU processing power and covertly mine Monero coins.
The attacks began around 9-10 January with attackers attempting to exploit 30% of all networks across the globe within just 24 hours. Security firm Certego also separately logged a huge spike in Ruby HTTP exploit attacks.
The top countries targeted by attackers include the US, UK, Germany, Norway and Sweden. However, researchers say "no country has gone unscathed".
In this attack, the attackers are using a web server fingerprinting tool called pof to identify vulnerable, unpatched Linux and Windows servers running outdated software, Bleeping Computer reports. Once identified, the hackers exploit multiple old vulnerabilities and use a POST method to deploy the open source XMrig miner.
"As monitored by our sensors and honey-pots, the attacker attempts to use multiple web server vulnerabilities to inject the malicious code onto the vulnerable machines," Check Point said. "Among the targeted servers we found attacks on PHP, Microsoft IIS, and Ruby on Rails.
"XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code's author," the researchers said. "However, even this amount was too much for the attacker to part with as that 'donation element' was deleted from the code, giving the enthusiast 100% of the profit."
As of 11 January, an estimated 700 servers were successfully compromised and ensnared to join the hacker's mining pool, garnering about $540 (£392).
"One of the domains used in this attack, lochjol.com, was seen being used in another attack back in 2013," the Check Point researchers noted. "The previous attack also leveraged the vulnerability in Ruby on Rails, and shares some common features with the current attack. Nonetheless, we cannot determine the connection between the two, and, even if they share a common attacker, their purposes seem to be different."
The spike in attacks come as hackers increasingly target cryptocurrency using various nefarious methods amid the growing popularity and value of virtual currency.
Last year saw a rising trend in cryptojacking attacks targeting popular websites, an increased use of cryptomining malware as well as a slew of data breaches involving cryptocurrency exchanges and wallets.
So far in 2018, researchers have found hackers exploiting a critical Oracle WebLogic flaw that was patched last year to mine cryptocurrency worldwide.
"In 2018, as in 2017, we continue to see blitz campaigns, leveraging unpatched vulnerabilities in many networks," researchers said. "This attack, like its predecessors, could have been prevented by simply patching old servers and deploying relevant security measures."