Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months.
According to a report published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers.
Although ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like cryptocurrency.
The vulnerability (CVE-2017-7269) exploited by the attackers was discovered in March 2017 by Zhiniang Peng and Chen Wu and resides in the WebDAV service of Microsoft IIS version 6.0—the web server in Windows Server 2003 R2.
Therefore, hackers are only targeting unpatched machines running Windows Server 2003 to make them part of a botnet, which has already helped them made over $63,000 worth of Monero.
Since the vulnerability is on a web server, which is meant to be visible from the internet, it can be accessed and exploited by anyone. You can learn more about the vulnerability here.
The newly discovered malware mines Monero that has a total market valuation of about $1.4 billion, which is far behind Bitcoin in market capitalisation, but cybercriminals' love for Monero is due to its focus on privacy.
Unlike Bitcoin, Monero offers untraceable transactions and is anonymous cryptocurrency in the world today.
Another reason of hackers favouring Monero is that it uses a proof-of-work algorithm called CryptoNight, which suits computer or server CPUs and GPUs, while Bitcoin mining requires specific mining hardware.
However, this is not the first time when analysts have spotted such malware mining Monero by stealing computing resources of compromised computers.
In mid-May, Proofpoint researcher Kafeine discovered cryptocurrency mining malware, called 'Adylkuzz,' which was using EternalBlue exploit—created by the NSA and dumped last month by the Shadow Brokers in April—to infect unpatched Windows systems to mine Monero.
A week before that, GuardiCore researchers discovered a new botnet malware, dubbed BondNet, that was also infecting Windows systems, with a combination of techniques, for primarily mining Monero.