[SingCERT] Alert on Digital Currency Mining Malware

Published on Monday, 08 January 2018 21:24

Background

SingCERT has observed an increase in cases where attackers used malicious malware to remotely harness computing power to mine for digital currency, which may cause damage to users’ hardware or slow down their computing performance. The attackers exploit vulnerable systems to hijack personal computers, Android devices, servers, and Content Management Systems (CMS) with weak passwords, and use them for digital currency mining.

Affected Systems

Systems that are known to be targeted include:

  • Android OS
  • Apache Struts 2 (CVE-2017-5638)
    • 2.3.x before 2.3.32
    • 2.5.x before 2.5.10.1
  • DotNetNuke (DNN) Content Management System (CVE-2017-9822)
    • Before 9.1.1
  • WebLogic Server (WLS) (CVE-2017-10271)
    • 10.3.6.0.0
    • 12.1.3.0.0
    • 12.2.1.1.0
    • 12.2.1.2.0
  • WordPress
Tell-tale Signs

Signs that your systems are being used to mine for digital currency:

  • Sluggish performance
  • Sudden spike in the Central Processing Unit (CPU) usage
  • Service disruption
  • Physical damage to devices
Recommendations

Individuals
  • Install anti-virus software and scan your device regularly
  • Do not click on suspicious links, web pages or advertisements
  • Do not download or install apps from non-official app stores
  • Uninstall apps from untrusted sources
  • Run a full anti-virus scan if you suspect that your device has been infected
System administrators/ Website owners
  • Change all default passwords to reduce possibility of unauthorised access
  • Choose a password of at least 8 alphanumeric characters consisting of both upper and lower cases as well as symbols
  • Update affected systems to the latest version
References

https://www.wordfence.com/blog/2017/12/aggressive-brute-force-wordpress-attack/

https://www.bleepingcomputer.com/news/security/massive-brute-force-attack-infects-wordpress-sites-with-monero-miners/

https://www.kaspersky.com/blog/loapi-trojan/20510/

https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/