Ronald Hudson - Fotolia

How does MassMiner malware infect systems across the web?

Researchers from AlienVault found a new cryptocurrency mining malware -- dubbed MassMiner -- that infects systems across the web. Learn how this malware operates with Nick Lewis.

A new type of cryptocurrency mining malware called MassMiner was recently discovered by security researchers to be infecting systems across the web. How does this malware infect systems?

Similar to ransomware attacks, cryptocurrency mining is a way for criminals to monetize their attacks. While cryptocurrency mining usually causes less collateral damage than ransomware, mining malware may be more difficult to detect.

Once attackers have infected a system, they can use the compromised system for a number of different things, such as distributed denial-of-service attacks and sending spam. Attackers sometimes have scripts or patterns they follow where each step is worked out. These scripts may also include exploits that can maximize the return on investment of an attack.

A new type of cryptocurrency mining malware called MassMiner was recently discovered by researchers from AlienVault Inc. MassMiner is used to mine Monero cryptocurrency, and the malware is configured with the Monero wallet and mining pool to which it sends mined coins.

In addition to the cryptocurrency mining function, the MassMiner malware also includes worm functionality and a version of Masscan, a high-speed IP scanner, which scans the local network before scanning the internet to look for vulnerable devices to infect.

MassMiner targets Windows servers for WebLogic, exposed server message block servers, Apache Struts and SQL Server. When one of these systems is found, MassMiner uses well-known -- and patched -- exploits to gain access to the system. The exception is SQL Server, where MassMiner attempts to brute force a password for access.

Once MassMiner gains access to a system, it establishes persistence by disabling security functionality. Then the malware downloads the configuration, including the command-and-control server.

Once the infection is complete, MassMiner starts using the infected system to mine Monero, as well as to scan for other systems to infect. In order to mitigate this attack, AlienVault released indicators of compromise to help determine if your systems have been infected.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing