Security News > 2021 > April > New cryptomining malware builds an army of Windows, Linux bots

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero miner and self-spreader malware payloads.

While, at first, it was using a multi-component architecture with the miner and worm modules, the botnet has been upgraded to use a single binary capable of mining and auto-spreading the malware to other devices.

Sysrv-hello's propagator component aggressively scans the Internet for more vulnerable systems to add to its army of Monero mining bots with exploits targeting vulnerabilities that allow it to execute malicious code remotely.

After hacking into a server and killing competing cryptocurrency miners, the malware will also spread over the network in brute force attacks using SSH private keys collected from various locations on infected servers.

The latest samples spotted in the wild have also added support for the Nanopool mining pool after removing support for MineXMR. Even though this wallet contains just over 12 XMR, cryptomining botnets regularly use more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency, and this can quickly add up to a small fortune.

360 Netlab researchers spotted an increasingly active and upgraded version of the z0Miner cryptomining botnet attempting to infect vulnerable Jenkins and ElasticSearch servers to mine for Monero.

News URL

https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/