Modular PsMiner worm attacks windows servers

Experts have discovered the modular bootloader PsMiner, which exploits the vulnerabilities of Windows-based servers and installs a miner to infected systems

According to researchers, in two weeks the criminals produced about 0.88 XMR, which roughly corresponds to $ 50 at the rate at the time of publication. They received these funds on a wallet whose address, along with other settings for the XMRig program, was specified in the config.json file.

A miner on the victim's device installs the main module of the malware, the WindowsUpdate.ps1 script. It is downloaded to the device immediately after hacking. To do this, PsMiner runs the PowerShell script via the command line. Then the downloaded file is copied to the Windows Temp folder and runs every ten minutes - for this, the malware creates the task “Update Windows Service” in the Task Scheduler. All this is done in order to PsMiner entrenched in the system.

Another module, the systemctl.exe script, is responsible for the bootloader penetrating the infected machines. written on Go and combining the hacking methods used by the malware. It scans the Internet for servers containing unpatched vulnerabilities:

CVE-2018-1273 - in Spring Data Commons,

CVE-2017-10271 - in Weblogic,

CVE-2015-1427 and CVE-2014-3120 in Elasticsearch.

The malware also exploits gaps in the Hadoop, Redis, SqlServer and ThinkPHP server software.

Access to devices PsMiner can get through brute force. The password guessing feature allows it to crack weakly protected accounts and administrator accounts that have left a default login / password pair. After hacking the server, the malware not only deploys the miner, but also launches the systemctl.exe module for further distribution of the bootloader. To protect against PsMiner, experts recommend updating server software and using strong passwords.

A similar attack in December 2017 was discovered by researchers from F5 Networks. As part of the Zealot campaign, crypto jacks used the vulnerabilities of Linux and Windows servers to install the miner Monero. According to the most modest estimates, during the campaign, criminals generated tokens for $ 8.5K.