Categories: MalwareSecurity News

Cybercriminals Exploit PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers

An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.

In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.

Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.

How Cryptocurrency Mining Campaign Infects

With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.

The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server.

The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.

Also Read Linux Backdoor that Creates Fully Encrypted Reverse Shell and Attack Unsecured Linux Systems

The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.

Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.

Attack Execution Requirements

A publicly accessible Linux web server running (x86-64), given the custom XMRig Miner 64-bit ELFs and Cacti needs to be implemented with the Plugin Architecture working and an outdated Network Weathermap 0.97a and prior is used.

The web server hosting Cacti does not require authentication to access the web site resource. For perfect execution, the web server should be running with ‘root’ permissions.

IP address and Domains used in the attack

222[.]184[.]79[.]11
bbc[.]servehalflife[.]com
190[.]60[.]206[.]11
182[.]18[.]8[.]69
jbos[.]7766[.]org
115[.]231[.]218[.]38
Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

3 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago