Security researchers from ESET have detected a new malware that infected thousands of Windows web servers with a malicious Monero (XMR) miner and helps cybercriminals made more than $63,000 in just three months.
Attackers infecting unpatched Windows web servers with a malicious cryptocurrency miner. Their purpose is to use the servers’ computing power (CPU) to mine Monero (XMR), which is one of the newest cryptocurrency alternatives to Bitcoin and one of the most anonymous cryptocurrencies.
According to ESET:
“attackers modified legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to covertly install the miner on unpatched servers. Over the course of three months, the crooks behind the campaign have created a botnet of several hundred infected servers and made over USD 63,000 worth of Monero.”
The distribution of the miner to victims’ computers is the hardest part of this operation, but attackers used a vulnerability (CVE-2017-7269) that was discovered in March 2017 to distribute the miner. It is a vulnerability in the WebDAV service that is a component of Microsoft IIS version 6.0, the web server in Windows Server 2003 R2.
Overall, the compromised machines were generating about XMR 5.5 daily by the end of August and have made over XMR 420 in total over the course of three months.