An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.
In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.
Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.
How Cryptocurrency Mining Campaign Infects
With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.
The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server.
The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.
The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.
Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.
Attack Execution Requirements
A publicly accessible Linux web server running (x86-64), given the custom XMRig Miner 64-bit ELFs and Cacti needs to be implemented with the Plugin Architecture working and an outdated Network Weathermap 0.97a and prior is used.
The web server hosting Cacti does not require authentication to access the web site resource. For perfect execution, the web server should be running with ‘root’ permissions.
IP address and Domains used in the attack
222[.]184[.]79[.]11 bbc[.]servehalflife[.]com 190[.]60[.]206[.]11 182[.]18[.]8[.]69 jbos[.]7766[.]org 115[.]231[.]218[.]38