Security researchers have discovered a new malware that installs a legitimate cryptocurrency mining program on poorly protected Windows and Linux servers. Intezer's Avigayil Mechtinger, a malware analysis specialist, has been tracking the cross-platform worm that has been installing XMRig Miner to mine the Monero cryptocurrency since early December. According to Mechtinger, the worm targets the public against MySQL, Tomcat, and Jenkins installations that have weak passwords.
Active and mutant
Explaining the worm's workflow, Mechtinger writes that the worm searches for Tomcat, Jenkins, and MySQL services with open ports and then brutally breaks in. It then delivers an upload script to the compromised server which will drop and run XMRig Miner. An earlier version of the worm also attempted to exploit the latest WebLogic vulnerability (CVE-2020-14882). During Mechtinger's analysis, the attacker continued to update the worm on the Command and Control (C&C) server. This indicates "that it is active and could point to additional weakly configured services in future updates," he writes.
![captura de pantalla del análisis de Intezer]()
(Image credit: Intezer) In her report, Mechtinger notes that the worm's code is "nearly identical" for Windows and Linux targets, which she says "demonstrates that Linux threats are still largely unnoticed by the public." most security and detection platforms." Note that this latest worm follows the discovery of the PgMiner worm, which exploited a disputed vulnerability in PostgreSQL servers running Linux to install a cryptocurrency miner. Mechtinger also points to another trend: “In 2020 we saw a notable trend of Golang malware targeting different platforms, including Windows, Linux, Mac, and Android. We believe with great confidence that this will continue in 2021 ". Via: BleepingComputer