Security News > 2021 > August > Splunk spots malware targeting Windows Server on AWS to mine Monero
Data analysis firm Splunk says it's found a resurgence of the Crypto botnet - malware that attacks virtual servers running Windows Server inside Amazon Web Services.
Splunk's Threat Research Team posted its analysis of the attack on Monday, suggesting it starts with a probe for Windows Server instances running on AWS, and seeks out those with remote desktop protocol enabled.
Once target VMs are identified, the attackers wheel out an old favourite: brute forcing passwords.
Splunk's security team noticed that one of the Monero wallets used in this campaign was also involved in a 2018 wave of attacks using the same Crypto botnet.
Splunk's advice for those hoping to avoid the attack is simple: stay up to date with patches, use strong passwords, and enable network-level authentication.
Windows admins will also know that RDP is not on by default, for good reasons - advice for those not wanting to avoid the attack is presumably to switch on RDP, use 'Admin/Passw0rd1234' as the login credentials and let 'er rip.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/08/10/crypto_botnet_targets_windows_on_aws/
Related news
- Steam pulls game demo infecting Windows with info-stealing malware (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)
- Recent Windows Server 2025 updates cause Remote Desktop freezes (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers (source)
- Microsoft fixes auth issues on Windows Server, Windows 11 24H2 (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- Police detains Smokeloader malware customers, seizes servers (source)