Linux Machine’s are Hijacked by unknown Vulnerability by using SambaCry Flow and it has cryptocurrency mining utility. This Vulnerability Exploit by using unauthorized Write Permission in Network Drive in Linux Machines.
The Legitimate Text File writes by the attacker which Consists of 8 Random symbols in Samba.Suddenly attacker deletes the file Once Attempt has been successfully done.
Super Privilege Access has been successfully takeover by this Sambacry Payload once payload has injected into the Linux Server.
According to Kaspersky Lab, although first, the attackers have to guess the full path to the dropped file with their payload, starting from the root directory of the drive.
By using Honeypot, Researchers Trace the payload Activities by Capture the Traffic and they Find where files can be stored on the drive.
Cryptocurrency mining operation:
Researchers said, “The main functionality of this file is to download and execute one of the most popular open-source cryptocurrency mining utilities – cpuminer (miderd). It is done by the hard coded shell-command ”
Interesting Fact of this version of cpuminer used is “upgraded”. so it can perform Directly Mine the currency without launched any parameters to the hard-coded attackers’ wallet.
“Along with the attackers’ wallet number, the pool address (xmr.crypto-pool.fr:3333) can be found in the body of the miner. This pool is created for mining the open-source cryptocurrency – monero. Using all this data we managed to check out the balance on the attackers’ wallet and the full log of transactions”
Log of transactions with all the attackers’ cryptocurrency income Credits:SECURELIST
According to the Report, During the first day they gained about 1 XMR (about $55 according to the currency exchange rate for 08.06.2017), but during the last week they gained about 5 XMR per day
This means that the botnet of devices working for the profit of the attackers is growing.
To mining cryptocurrency for the attackers attacked machine turns into a workhorse on a large list and also the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware.Researchers said.