Cryptocurrency mining malware has been on the rise in 2018. The malware has an especially nasty variant which leverages multiple exploits and hacking tools to spread. The MassMiner worm is a type of mining malware that has been observed propagating from local networks to high value targets, like Microsoft’s SQL servers, with greater mining potential.
Infected hosts attempt to spread the worm by first utilizing the MassScan tool to enumerate potential victims and subsequently running a variety of exploits which include the infamous CVE-2017-0143 EternalBlue exploit, CVE-2017-5638 Apache Struts exploit and CVE-2017-10271 WebServer exploit. MassMiner will also brute force Microsoft SQL servers by using SQLck and then once compromised will run scripts to install MassMiner. Powershell is used in the same manner to download MassMiner to compromised Weblogic servers and a VisualBasic script is utilized to deploy the worm to compromised Apache Struts servers.
MassMiner then goes through the process of disabling numerous security features including anti-virus, to ensure persistence and evade detection.
MassMiner tactics include:
- Copying itself to taskhost.exe and the Startup folder
- Unauthorizing changes to the ACL to grant full access to certain files in the system
- Disabling Windows Firewall
- Downloading a config file to point compromised host to C&C server for further instructions
Proficio Threat Intelligence Recommendations:
- Harden high value assets such as servers by ensuring vulnerabilities are patched by implementing the latest stable updates