The malware owner earned $ 63,000 from digging Monero on the IIS server

Researchers at ESET have just discovered this behavior. They say hackers use CVE-2017-7269, a vulnerability on IIS 6.0 servers to take control and install the Monero digging tool.

CVE-2017-7269 is a vulnerability on IIS's WebDAV service and was discovered at the end of March by 2 Chinese researchers. At that time, it was still a zero-day vulnerability.

The two researchers also provided the POC exploit code on GitHub https://github.com/edwardz246003/IIS_exploit to help system administrators determine if they are using an unpatched IIS 6.0 version.

The malware author almost does nothing

ESET indicates that malware uses this POC exploit code along with the scan tool and finds vulnerable IIS 6.0 servers. On these servers, they exploit the code to download the Monero digging tool.

The malware owner earned $ 63,000 from digging Monero on the IIS server Picture 1
More and more malware digs virtual money on users

Although it sounds impressive, ESET says that this malware author does very little. Modifying the exploit code is very sketchy, the Monero digging tool is just another version of an open source project called xmrig, version 0.8.2 (released on May 26, 2017).

'We do not know which attackers use the scanning software to find a vulnerable machine but there are many sample code and exploit software available, we think they don't have to do much,' said Michal Poslusny, researcher. at ESET said.

The revision of the Monero digging tool and the same update date is a day so maybe the update is not time consuming or complicated. Still, the attacker still made a lot of money.

Malware digging virtual money is increasing

ESET says bad guys scan for IIS 6.0 servers from the end of May and after several interruptions, they are still working.

'Malware digging virtual money is not new but they are skyrocketing because of many factors,' Poslusny said. The two competitors of ESET also saw the same thing. In the past two weeks, Kaspersky reported more than 1.65 million malware-infected computers dig virtual currency in the first 8 months of the year. IBM also reported an increase in virtual currency malware on the enterprise network. Behavior of digging virtual money on the browser also spread.

There was a patch

Windows Server users still currently run IIS 6.0 to update the Microsoft patch released in June. Https://blogs.windows.com/windowsexperience/2017/06/13/microsoft-releases-additional-updates-protect- potential-nation-state-activity / and https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-update-release/ . Microsoft released this patch after Windows XP and Server 2003 achieved End-of-Life scores many years ago.

The exploited IIS 6.0 vulnerability this time with CVE identified as EXPLODINGCAN NSA leaked from Shadow Brokers in April. Microsoft patched KB3197835 to fix it.

If unable to update from the Microsoft patch, sysadmin can find the patch of another network security company.https://pages.ensilo.com/download-the-patch-for-esteemaudit-exploit