Friday, March 29, 2024

Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers

An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.

In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.

cryptocurrency mining campaign

Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.

How Cryptocurrency Mining Campaign Infects

With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.

The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server. 

The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.

Also Read Linux Backdoor that Creates Fully Encrypted Reverse Shell and Attack Unsecured Linux Systems

The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.

Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.

Attack Execution Requirements

A publicly accessible Linux web server running (x86-64), given the custom XMRig Miner 64-bit ELFs and Cacti needs to be implemented with the Plugin Architecture working and an outdated Network Weathermap 0.97a and prior is used.

The web server hosting Cacti does not require authentication to access the web site resource. For perfect execution, the web server should be running with ‘root’ permissions.

IP address and Domains used in the attack

222[.]184[.]79[.]11
bbc[.]servehalflife[.]com
190[.]60[.]206[.]11
182[.]18[.]8[.]69
jbos[.]7766[.]org
115[.]231[.]218[.]38
Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles