RubyMiner

Even though Bitcoin seems to be at its peak, other currencies are gaining in popularity. In early January, 2018, researcher found a new strain of malware named RubyMiner targeting Linux and Windows servers that use outdated software to use their computational resources for mining Monero coins. RubyMiner was found to plant the miner XMrig, and the attempt to infect networks worldwide was carried out within 24 hours, affecting 30 percent of global networks. The top countries targeted by the RubyMiner malware includes the United States, United Kingdom, Germany, Norway, and Sweden.

The attackers used a web server fingerprinting tool called pof to identify vulnerable servers. Upon successful identification of vulnerable servers, exploits already known to security researchers were used to infect the servers with RubyMinder. The exploits used in the attack includes CVE-2013-0156, CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, CVE-2012-2336, CVE-2013-4878, and CVE-2005-2678. Among the servers attacked by RubyMider, researchers found Windows IIS, PHP, and Ruby on Rails, which were attacked earlier.

The miner XMrig is programmed to send 5% of the revenue gained from mining to the author of the code, but the attackers skillfully altered the code to receive 100% of the profit made from the mining process. In  total, 700 servers were affected by the attack, making a $520 (£392) profit within the first day.

It was found that the file robots.txt was used by the domain lochjol.com to store malicious commands. The same domain was used in a malware attack in 2013. Researchers also found that the mining process is programmed to run every hour alongside the downloading of the file robots.txt. This is believed to be done so that the attackers can initiate a kill switch by modifying the file to be re-downloaded without the cryptominers.

Researchers speculated that the RubyMiner attack is similar to the 2013 attack, but the purpose of the current attack seems to be different because the attack could have been averted by fixing the vulnerabilities and implementing certain security measures.

The RubyMiner attack is no surprise to malware researchers because a similar attack was carried out in 2017 against Microsoft IIS 6.0 to mine Monero. The profit exceeded $63,000. The same open-source miner XMrig was employed after making some changes to  revamp the software into their own mining tool.

The latest detections suggest that the Monero currency is becoming a new target in the dark market, leaving the Bitcoin currency abandoned because of now, reportedly, traceable transactions and unpredictable rates, changes in which may bring significant financial losses. Some ransomware authors have already launched their campaigns in which victims are demanded to pay ransoms in Monero.

The Monero currency comes in handy because of the anonymity,  compared to Bitcoin which is now considered not as safe as it was claimed earlier because of the Blockchain that records what address received a payment and the exact amount used in the transaction. It is very likely, that soon ransomware infections will demand to pay not only in Monero, but in Euthereum and Zcash, the latter of which is claimed to be even better because of the encryption of the user's address, making transactions impossible to trace.