Security researchers have spotted a new strain of malware being deployed online. Named RubyMiner, this malware is a cryptocurrency miner spotted going after outdated web servers.
According to research published by Check Point and Certego, and information received by Bleeping Computer from Ixia, attacks started on January 9-10, last week.
Ixia security researcher Stefan Tanase told Bleeping Computer that the RubyMiner group uses a web server fingerprinting tool named p0f to scan and identify Linux and Windows servers running outdated software.
Once they identify unpatched servers, attackers deploy well-known exploits to gain a foothold on vulnerable servers and infect them with RubyMiner.
Check Point and Ixia say they've seen attackers deploy the following exploits in the recent attack wave:
It immediately stands out that RubyMiner targets both Windows and Linux systems alike.
In a report published last week, Check Point has broken down RubyMiner's infection routine on Linux systems, based on data collected from their honeypot servers. There are some things that stand out right away, at least because of the attackers' creativity:
Check Point security researcher Lotem Finkelstein told Bleeping Computer that they've seen attackers target Windows IIS servers, but they have not been able to obtain a copy of the Windows version of this malware just yet.
That malware campaign also utilized the same Ruby on Rails exploit deployed in the RubyMiner attacks, suggesting the same group that was behind those attacks is most likely now trying to spread RubyMiner.
Overall, there's been a rise in attempts to spread cryptocurrency mining malware in recent months, especially malware that mines for Monero.
Excluding cryptojacking events —which also mine Monero— some of the Monero-mining malware families and botnets we've seen in 2017 include Digmine, an unnamed botnet targeting WordPress sites, Hexmen, Loapi, Zealot, WaterMiner, an unnamed botnet targeting IIS 6.0 servers, CodeFork, and Bondnet.
In most of the incidents mentioned above that targeted web servers, attackers tried to use recent exploits, as there would be more vulnerable machines to infect.
The RubyMiner attacks are peculiar because attackers use very old exploits, which most security software would be able to detect, and which would have alerted server owners.
Finkelstein told Bleeping Computer that attackers might have been looking for abandoned machines on purpose, such as "forgotten PCs and servers with old OS versions," that sysadmins forgot they left online.
"Infecting them would ensure long periods of successful mining beneath the security radar, "Finkelstein says.
Check Point put the number of servers infected with RubyMiner at around 700 and estimated the attackers' earnings at $540, based on the wallet addresses found in the custom XMRig miner deployed by the RubyMiner malware.
Many would argue that the group would be more successful and earn more money if they'd use more recent exploits instead of ten-year-old vulnerabilities. For example, a group that targeted Oracle WebLogic servers with an exploit from October 2017 made a whopping $226,000.