Security researchers have spotted a new strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.

According to research published by Check Point and Certego, and information received by Bleeping Computer from Ixia, attacks started on January 9-10, last week.

Attackers target both Linux and Windows servers

Ixia security researcher Stefan Tanase told Bleeping Computer that the RubyMiner group uses a web server fingerprinting tool named p0f to scan and identify Linux and Windows servers running outdated software.

Once they identify unpatched servers, attackers deploy well-known exploits to gain a foothold on vulnerable servers and infect them with RubyMiner.

Check Point and Ixia say they've seen attackers deploy the following exploits in the recent attack wave:



◍ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) [2, 3, 4]

◍ Microsoft IIS ASP Scripts Source Code Disclosure (CVE-2005-2678) [ ◍ Ruby on Rails XML Processor YAML Deserialization Code Execution (CVE-2013-0156) [ 1 ◍ PHP php-cgi Query String Parameter Code Execution (CVE-2012-1823; CVE-2012-2311; CVE-2012-2335; CVE-2012-2336; CVE-2013-4878) [ 1 ◍ Microsoft IIS ASP Scripts Source Code Disclosure (CVE-2005-2678) [ 1

It immediately stands out that RubyMiner targets both Windows and Linux systems alike.

Attackers hide malicious code in robots.txt files

In a report published last week, Check Point has broken down RubyMiner's infection routine on Linux systems, based on data collected from their honeypot servers. There are some things that stand out right away, at least because of the attackers' creativity:

▨ The exploit code contains a series of shell commands

▨ Attackers clear all cron jobs

▨ Attackers add a new hourly cron job

▨ New cron job downloads a script hosted online

▨ This script is hosted inside the robots.txt file of various domains

▨ The script downloads and installs a modified version of the legitimate XMRig Monero miner application.

Check Point security researcher Lotem Finkelstein told Bleeping Computer that they've seen attackers target Windows IIS servers, but they have not been able to obtain a copy of the Windows version of this malware just yet.

This attack also stood apart because one of the domains attackers used to hide malicious commands in the robots.txt file (lochjol[.]com) was also used in a previous malware campaign, in 2013 [1, 2].

That malware campaign also utilized the same Ruby on Rails exploit deployed in the RubyMiner attacks, suggesting the same group that was behind those attacks is most likely now trying to spread RubyMiner.

Rising trend in Monero-mining malware

Overall, there's been a rise in attempts to spread cryptocurrency mining malware in recent months, especially malware that mines for Monero.

Excluding cryptojacking events —which also mine Monero— some of the Monero-mining malware families and botnets we've seen in 2017 include Digmine, an unnamed botnet targeting WordPress sites, Hexmen, Loapi, Zealot, WaterMiner, an unnamed botnet targeting IIS 6.0 servers, CodeFork, and Bondnet.

Two weeks in 2018 and we've already seen PyCryptoMiner targeting Linux servers and another group targeting Oracle WebLogic servers.

In most of the incidents mentioned above that targeted web servers, attackers tried to use recent exploits, as there would be more vulnerable machines to infect.

The RubyMiner attacks are peculiar because attackers use very old exploits, which most security software would be able to detect, and which would have alerted server owners.

Finkelstein told Bleeping Computer that attackers might have been looking for abandoned machines on purpose, such as "forgotten PCs and servers with old OS versions," that sysadmins forgot they left online.

"Infecting them would ensure long periods of successful mining beneath the security radar, "Finkelstein says.

RubyMiner crew infected 700 servers

Check Point put the number of servers infected with RubyMiner at around 700 and estimated the attackers' earnings at $540, based on the wallet addresses found in the custom XMRig miner deployed by the RubyMiner malware.

Many would argue that the group would be more successful and earn more money if they'd use more recent exploits instead of ten-year-old vulnerabilities. For example, a group that targeted Oracle WebLogic servers with an exploit from October 2017 made a whopping $226,000.

More information about the RubyMiner attacks are available in reports from Check Point and Certego.