Monero-Mining Campaign Takes the Easy Road to Cash Gains

A nefarious cryptocurrency mining operation has been going on since at least May 2017, with attackers infecting unpatched Windows 2003 webservers. So far, the bad actors have managed to net more than $63,000 worth of Monero on the backs of unsuspecting administrators whose machines have been enslaved for their processing power—all without putting too much effort into the proceedings. 

According to ESET, the bad actors have modified legitimate open-source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0, to covertly install the miner on unpatched servers. Over the course of three months, the crooks behind the campaign have created a botnet of several hundred infected victim endpoints. Together their computing power offers a powerful “drill” to uncover Monero (XMR), one of the newer cryptocurrency alternatives to Bitcoin.

Campaigns like this often don’t achieve the notoriety of flashier attacks, but they’re no less concerning.

“While the world is holding its breath, wondering where notorious cyber-criminal groups like Lazarus or Telebots will strike next with another destructive malware such as WannaCryptor or Petya, there are many other, less aggressive, much stealthier and often very profitable operations going on,” ESET researchers noted in a blog.

The choice of Monero is interesting too: It offers “features” that make it more attractive to criminals than the more venerable Bitcoin.

“While far behind Bitcoin in market capitalization, Monero has several features that make it a very attractive cryptocurrency to be mined by malware—untraceable transactions and a proof of work algorithm called CryptoNight, which favors computer or server CPUs and GPUs, in contrast to specialized mining hardware needed for Bitcoin mining,” ESET researchers explained, adding that the exchange rate has jumped up from $40/XMR to $150/XMR just in the past month, and seems to be averageing a healthy $100/XMR.

When creating the malicious mining software, the crooks took the path of least resistance: They didn’t apply any major changes to the original open source codebase. So, the distribution of the miner to victims’ computers is the hardest part of the operation, but even here, the attackers went for the easiest approach. Two IP addresses are conducting weekly simple brute-force scans for the CVE-2017-7269 vulnerability, present in Windows Server 2003 (which has reached end-of-life and is unsupported by Microsoft).

“This vulnerability is especially susceptible to exploitation, since it’s located in a webserver service, which in most cases is meant to be visible from the internet and therefore can be easily accessed and exploited by anyone,” ESET researchers said. They added that in this campaign, “We see that minimal know-how together with very low operating costs and a low risk of getting caught—in this case, misusing legitimate open-source cryptocurrency mining software and targeting old systems likely to be left unpatched—can be sufficient for securing a relatively high outcome.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s Hot on Infosecurity Magazine?