mal-miner-c-infections

Malware researchers from security firm Sophos have analyzed a new strain of malware detected as Mal/Miner-C that was designed to abuse resources of the infected machine to mine Monero (XMR) cryptocurrency. The experts discovered that the new malware leverages network-attached storage (NAS) devices as attack vector. The authors of Mal/Miner-C used the NSIS (Nullsoft Scriptable Install System) scripting language to develop it.

If the threat is able to successfully connect to an FTP service, then it copies itself to that server and modifies the .html and .php files stored on it by injecting the code that generates an iframe referencing the malicious code uploaded to the server.

According to Sophos:

If the embedded credentials are able to successfully connect to an FTP service, it tries to copy itself to the server and modify an existing web-related file with the extension .htm or .php in an attempt to further infect visitors to the host system.

If a file with this extension is found, the threat injects source code that creates an iFrame referencing the files info.zip or Photo.scr.

When a user visits a website compromised by Miner-C, they are presented with a “save file” dialog that serves the malicious files, then if the victim downloads and opens the file, it will infect their PC with Mal/Miner-C.

A senior threat researcher at Sophos, Attila Marosi, stated in a blog post that:

The malware generates a new initialization file when it is launched, it helps the malware avoid security solutions. It also gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping ransomware to the victim’s machine after the mining business is no longer profitable.

The malware targeted various types of FTP servers, but Sophos experts noticed it mostly targeted Seagate’s Central NAS product. This specific NAS provides a public folder that cannot be deleted or deactivated, and the attackers upload the malware in the folder in hopes that they will be executed by users once they are discovered.

From the map above, the security researchers found:

  • IP numbers of FTP servers on original list: 2,932,833.
  • FTP servers active during the test: 2,137,571 Active servers allowing anonymous remote access: 207,110.
  • Active servers where write access was enabled: 7,263.
  • Servers contaminated with Mal/Miner-C: 5,137.