A malware author (or authors) has made around $63,000 during the past five months by hacking unpatched IIS 6.0 servers and mining Monero.
ESET researchers just recently uncovered the attacker’s operation. Experts say the malware author used CVE-2017-7269, a vulnerability in IIS 6.0 servers to take over vulnerable machines and install a Monero miner.
CVE-2017-7269 is a vulnerability in IIS 6.0’s WebDAV service and was discovered in late March by two Chinese researchers. At the time of its discovery, the vulnerability was a zero-day, as it was used in live attacks.
The two researchers also published proof-of-concept exploit code on GitHub to help sysadmins determine if they ran vulnerable IIS 6.0 installations.
Malware devs put minimal effort into his operation
ESET says that the malware dev used this public PoC exploit code, along with a scanner, and started searching the Internet for exposed IIS 6.0 servers. On vulnerable servers, the crook would deploy the exploit code that would then download a custom Monero miner.
While this sounds impressive, ESET says the malware author did very little “authoring.” Investigators said that the modifications to the public exploit code are superficial, while the Monero miner is actually a version of an open-source project.
“Both the exploit and the crypto miner payload were slightly modified versions of publicly available source code, and all it took was minimal knowledge and few internet searches,” Michal Poslusny, ESET malware researcher, told Bleeping Computer via email. From the ESET report:
The malicious mining software is a fork of a legitimate open source Monero CPU miner called xmrig, version 0.8.2 (also released on 26th May 2017). When creating the malicious mining software, the crooks did not apply any changes to the original open source codebase apart from adding hardcoded command line arguments of the attacker’s wallet address and the mining pool URL, plus a few arguments to kill all previously running instances of itself not to compete with its new. This couldn’t have taken the cybercrooks more than just a couple of minutes.
The [public exploit code] payload comes necessarily in the form of an alphanumeric string. The attackers replaced the string leading to the execution of the Windows calculator from the proof-of-concept with one leading to the download and execution of their malicious payload. However, this didn’t require much sophistication either, as there are online tools like alpha3 that help to convert any shellcode into the desired string.
“We don’t know what kind of scanning software is the attacker using for finding vulnerable machines, but again there are plenty of code examples and ready-to-deploy software, that does just that so we think it didn’t take the attacker much effort either,” Poslusny told Bleeping.
In addition, the researcher also points out that it detected new versions of the attacker’s modified Monero miner on the same day the original xmrig received updates, meaning the entire update process was neither sophisticated nor time-consuming.
Nonetheless, the attacker did make a nice profit for “a couple of minutes” of work.
Malware mining cryptocurrency on the rise
ESET says the crook has been scanning for vulnerable IIS 6.0 servers since late May, and apart from a few breaks, he’s still at it.
“Crypto mining malware is nothing new, but there has definitely been a surge recently thanks to multiple factors,” Poslusny told Bleeping.
This surge was also seen by two of ESET’s rivals. This past two weeks, Kaspersky reported seeing over 1.65 million computers infected with cryptocurrency mining malware in the first eight months of the year, and IBM also reported a spike in cryptocurrency malware installed on enterprise networks.
In addition, in-browser cryptocurrency mining operations have become quite widespread.
Patches are available
Windows Server owners still running IIS 6.0 should look into applying a patch Microsoft released in June. Microsoft went out of its way to provide this patch after Windows XP and Server 2003 had reached End-of-Life years ago.
The IIS 6.0 zero-day exploited in these attacks has the same CVE identifier as the EXPLODINGCAN NSA exploit leaked by The Shadow Brokers in April this year. The Microsoft patch KB3197835 fixes both issues.
If server admins can’t update away from IIS 6.0 and they can’t apply the Microsoft patch for various other reasons, cyber-security firm 0patch has also provided its own custom patch.