A new worm written in Golang turns Windows and Linux servers into miners of the cryptocurrency monero.
Researchers from Intezer said the worm spreads across the network to run XMRig Miner – a monero cryptocurrency miner – on a large scale. The malware then targets both Windows and Linux servers and can easily maneuver from one platform to the other. It targets public-facing services such as MySQL, Tomcat admin panel and Jenkins that have weak passwords. In an older version, the worm has also attempted to exploit WebLogic’s latest vulnerability: CVE-2020-14882.
During their analysis, the researchers found that the attacker kept updating the worm on the command and control server, which indicates that it’s active and might be targeting additional weak configured services in future updates.
The attack uses three files: a dropper script (bash or powershell), a Golang binary worm, and an XMRig Miner—all of which are hosted on the same command and control server.
Security teams have been advised to use complex passwords, limit login attempts and use two-factor authentication. Intezer also says to minimize the use of public- facing services and keep software updated with the latest security patches. Finally, they recommend using a cloud workload protection platform to gain full runtime visibility over the code in the company’s system and for getting alerted on any malicious or unauthorized code.
Organizations should monitor their systems for vulnerabilities to patch them in time, control any changes happening to a server like a file being dropped and have a strong password policy in place.