Hackers serve up double cryptocurrency miners by exploiting an Oracle server vulnerability
Cybercriminals are increasingly launching attacks focussed on obtaining cryptocurrencies. The recent rapid rise in value of cryptocurrencies such as Bitcoin and Ethereum has not only led scores of people to invest in digital currencies but also altered the threat landscape in cybercrime. Security researchers have uncovered a new campaign, which involves hackers exploiting an Oracle server vulnerability to spread two cryptocurrency miners simultaneously.
The Oracle WebLogic WLS-WSAT flaw (CVE-2017-10271), which has already been patched, allows hackers to deliver two cryptominers – a 64-bit variant and a 32-bit variant of the XMRig Monero miner. According to security researchers at Trend Micro, who discovered the new campaign, the cryptominers are deployed depending on the targeted Windows operating systems (OS) compatibility with the malware variants.
“Our analysis of the latest payload shows that the architecture of Windows OS plays a part in deciding which coin miner will run,” Trend Micro researchers said in a blog. “The first Monero miner is a 64-bit variant which will execute on a corresponding 64-bit Windows device. But, if the device is running a 32-bit Windows version then the second coin miner will run instead.”
Coin-mining malware variants generally attempt to infect as many devices as possible, given that it takes immense computing capabilities to mine for cryptocurrencies. In this case, with two malware variants, both of which are capable of starting up daily and automatically, the researchers believe that “the malware developers of this particular exploit have more chances to infect machines and use them for cryptomining”.
Source | ibtimes