ESET researchers have discovered a new malicious cryptocurrency miner attacking unpatched Windows web servers.
ESET researchers have discovered a new malicious cryptocurrency miner attacking unpatched Windows web servers.According to the post published by ESET, the main aim of the attacker is to mine Monero (XMR) using server's computing power. Monero (XMR) is an open-source cryptocurrency created in April 2014 that focuses on privacy, decentralization, and scalability that runs on Windows, Mac, Linux, Android, and FreeBSD. Here to install miner software in unparched web servers, the attacker modified a legitimate open source Monero mining software and exploited a vulnerability (CVE-2017-7269) in Microsoft IIS 6.0. In the last five months, the attackers have made over a $63,000 worth of Monero and created a botnet of unknown numbers of infected servers using this campaign. In the modified Monero mining software the attacker did not change any of the original open source codebases but added some hardcoded command line arguments like attacker’s wallet address, the mining pool URL and few argument to kill all previously running instances. 
The attacker searched for unpatched IIS 6.0 servers using a scanner and a public PoC (Proof Of Concept exploit) exploit code. After finding the exposed servers, it would deploy an exploit code which will download the modified mining software to the server. Researchers also said that they found a new version of attackers modified Monero mining software soon after the original software received updates. The windows have already released a patch in July for the vulnerability found on IIS 6.0 servers which was exploited by the attacker to infect servers. The vulnerability was discovered by Zhiniang Peng and Chen Wu in March 2017 in the WebDav service of Microsoft IIS 6.0 servers