MassMiner Malware Targeting Web Servers

MassMiner Malware Targeting Web Servers (May 1, 2018)

A cryptocurrency mining malware, dubbed “MassMiner,” has been observed to contain more features than a typical mining malware family, according to AlienVault researchers. MassMiner is capable of propagating via the following three vulnerabilities: CVE-2017-10271 (WebLogic vulnerability), CVE-2017-0143 (vulnerability used by EnternalBlue SMB exploit to install DoublePulsar), and CVE-2017-5638 (Apache Struts vulnerability). In addition to exploiting said vulnerabilities, MassMiner is also capable of conducting brute-force attacks against Microsoft SQL Servers via a tool called “SQlck.” Once infection has taken place, the malware will begin mining the “Monero” cryptocurrency.

Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. Therefore, it is crucial to apply security patches when they become available because once proof-of-concept code for exploits are made available in public sources threat actors often increase their targeting of vulnerable targets. Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.