Loading cryptocurrency prices...

Malware Spreads As a Worm, Uses Cryptojacking Module to Mine for Monero

- Advertisement -

A modular malware with worm capabilities exploits known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from one server to another and mine for Monero cryptocurrency.

Systemctl.exe, the worm module of the malware named PsMiner by the 360 Total Security researchers, is a Windows binary written in the Go language which bundles all the exploit modules used to hack into vulnerable servers it can find on the Internet.

Besides the exploits, PsMiner’s worm module also has the capability to brute force its way in, whenever it finds targets that uses weak or default credentials, as well as crack user credentials using an additional brute force password cracking component.

- Advertisement -

Once it manages to infiltrate a victim’s computer, PsMiner will execute a PowerShell command which downloads a WindowsUpdate.ps1 malicious payload, the malware’s master module designed to drop the Monero miner as part of the final infection stage.

The infection process
The infection process

The malware will also copy the malicious WindowsUpdate.ps1 script to the Windows Temp folder and will create an “Update service for Windows Service” scheduled task designed to re-launch the main malware module every 10 minutes to help it keep persistence on the compromised system.

During the last stage of the infection, PsMiner will download and launch the open source Xmrig CPU miner, used to mine for Monero cryptocurrency with the help of a custom mining profile.

While the worm capabilities it uses to spread between its victims and the way it uses living-off-the-land (LotL) techniques to further compromise its targets and achieve persistence are quite effective, not the same thing can be said about the profits this campaign was able to collect for its masters.

As the 360 Total Security researchers say in their report, “Inquiring about the relevant transaction records, we found that in just two weeks, the miner accumulated a total of about 0.88 Monroe (sic) coins.”

Malware modules
Malware modules

Cryptojacking still a threat

According to Symantec’s 2019 Internet Security Threat Report, the use of malicious PowerShell scripts increased by a whopping 1,000% during 2019, closely following the overall trend of cybercriminals moving to LotL techniques to avoid being detected while infiltrating their targets’ systems.

Even though the use of cryptojacking malware followed a downward trend during 2018, it’s still in the arsenal of threat actors as shown by PsMiner, by a batch of eight Microsoft Store apps found to be dropping malicious Monero cryptomining scripts, and by hundreds of vulnerable and exposed Docker hosts actively being abused in cryptojacking campaigns.

Additionally, a new Backdoor Trojan dubbed SpeakUp which drops XMRig miners on its victims and a new coinminer malware strain using the XMR-Stak Cryptonight cryptocurrency miner were detected targeting servers multiple Linux distributions.

Cryptocurrency mining malware also affected ten times more organizations than ransomware did during last year, while and more and more malware families have begun to merge in new capabilities targeting cryptocurrency within their arsenal, as detailed by a Check Point Research report.

Previous Articles:

- Advertisement -

Latest News

Kremlin: Russia Has No Intention to Challenge the US Dollar

Russia states it has no intention of undermining the U.S. dollar or targeting American...

Crypto Market in Reset Phase as ETF Inflows Weaken, Volatility Spikes

Cryptocurrency prices continued to fall as the market saw increased volatility and reduced ETF...

Kraken Acquires Small Exchange for $100M, Enters U.S. Derivatives

Kraken has agreed to buy the U.S. contract market Small Exchange for $100 million.The...

TSMC Stock Hits Record High on 39% Q3 Profit Surge, AI Demand

TSMC reported a 39% jump in third-quarter profits for 2025, exceeding analyst forecasts. Net income...

Theta Partners with Ulsan HD FC to Launch AI Fan Agent

THETA Network partners with Ulsan HD FC, South Korea’s football club and three-time K...
- Advertisement -

Must Read

Are Cryptocurrency Securities?

TL;DR - Cryptocurrencies are not typically considered securities, as they are decentralized digital assets that operate independently of any central authority or government. However,...