Source |
AlienVault Blog |
Identifiant |
620723 |
Date de publication |
2018-05-01 16:02:00 (vue: 2018-05-01 19:09:13) |
Titre |
MassMiner Malware Targeting Web Servers |
Texte |
Written in collaboration wih Fernando Martinez
One of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.
One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us how many different exploits and hacking tools it leverages in a single executable.
MassMiner spreads first within the local network, before attempting to propagate across the wider internet:
There are a number of different versions of MassMiner, and Honeypot data indicates they are continuing to spread:
An infected MassMiner machine attempting to spread, using an exploit for Apache Struts
This one site records infection attempts to their honeypots, most likely from infected systems, in the following countries:
It’s likely these numbers represent just a minority of the infected systems.
Reconnaissance
MassMiner includes a fork of MassScan, a tool that can scan the internet in under 6 minutes. The MassScan fork passes a list of IP ranges to scan during execution, which includes private and public IP ranges.
Exploitation
MassMiner then proceeds to run exploits against vulnerable systems, including:
|
Envoyé |
Oui |
Condensat |
> border:0;margin:0;padding:0; com/i/rss20 feedblitz malware massminer png servers style= targeting web |
Tags |
|
Stories |
|
Notes |
|
Move |
|