Hackers Spread Monero Mining Malware Through Open FTP Servers

As average personal computers are no longer powerful enough to mine cryptocurrencies, cyber criminals have found another way to steal resources and use them for their own benefit. The process known as ''mining'' consists of devoting free computer resources to solving mathematical problems that are needed for the validation of online transactions.

A new and relatively easy to mine cryptocurrency named Monero, has captured the attention of hackers, who respectively developed new malware threats that can pool together and employ CPU and GPU resources on a number of infected machines for the purpose of mining digital coins. One recently detected threat is Mal/Miner-C. It infects Windows computers, hijacks their CPU and GPUs, and subsequently adds the mined coins to the malware creators' wallets.

Research shows that Mal/Miner-C has some functions of a worm in that it has an interesting technique to spread and get new nodes for doing the math calculations for the mining process. Furthermore, it also tries to copy itself to open FTP folders in order to get executed on other machines. A report shows that all known version of this malware have been developed in NSIS, whereby the malware downloads the latest version of the script from a number of known Russian hosts.

Researchers have also managed to identify the mining pools to which the infection contributes, and estimate that ''moneropool.com'' is the primary pool benefited by this threat. Some calculations using the data available on the mining pool website allows to estimate that around half of the total hashes per second generated by the pool comes from machines infected with Mal/Miner-C, while the entire network of infected machines has the accumulated power to generate Monero coins worth of 428 EUR each day.

PC security researchers have also found out that Mal/Miner-C does not have a mechanism to infect automatically. Therefore, victims need to download and execute the malicious program for the infection to take place. Apart from compromised websites, just recently the crooks identified another opportunity to spread the malware – through open FTP servers. A report from September reveals that Seagate NAS devices have a critical configuration vulnerability, making them an easy target. They offer a number of different private accounts with multiple levels of access. By default, the Seagate network-attached storage system has a public folder for sharing data that cannot be deleted or deactivated. Once the administrator enables remote access to the device, it becomes publicly accessible and allows the hackers to abuse the insecure FTP directories for their own gain.

Vulnerable FTP servers are easily identified by hackers, who then log in using default/weak credential, or anonymous accounts. As soon as they gain access, they copy the malicious program on all available directories. Over 1.7 Million cases of Mal/Miner-C infections have been detected in just six months. However, the number of unique IP addresses corresponding to these cases was only around 3,100. This curious fact is simply explained: infected FTP servers are hosting multiple copies of the malware on each available folder.

Seagate NAS boxes vulnerability was identified after researchers scanned the Internet to find public FTP servers that allowed anonymous accounts and provided them with the privilege to write on available directories. Of all 7,263 servers found, 5,136 had the Mal/Miner-C infection, and most of these infected servers were running on Seagate Central NAS devices. Another interesting fact is that two files named ''info.zip'' and ''Photo.scr'' were found on all contaminated servers. ''Photo.scr'' is the malware's executable file. However, it is disguised as a Windows folder that can easily trick users into opening it. Turning off the remote access to Seagate NAS system can prevent the infection, though it will also significantly limit the functionality.