PsMiner
PsMiner is a worm that uses XMRig, a Monero crypto-miner, for generating cryptocurrency after compromising vulnerable servers. It circulates with the help of both software vulnerabilities and brute-forcing logins with weak security. Network administrators can protect themselves by updating their software, using safe passwords, and keeping anti-malware tools for deleting PsMiner and XMRig after an attack.
Worms with a Permit for a Little Mining
While threats like the SpeakUp Backdoor Trojan, CookieMiner, and the notably older RubyMiner are suitable demonstrations of XMRig's potential for mining automatically, more threat actors are deploying this tool through separate campaigns of their own happily. PsMiner is one of the most effective of these Trojan miner-dropping threats, regarding its self-distributing strategy, but is lagging in profits. The reasons for its low money-making stats may be due to a conservative configuration for keeping its activities less noticeable than usual, although malware researchers will need more time for confirming this estimate.
While many of the threats that use XMRig for its mining potential are file-locker Trojans, PsMiner is different: it's a self-reproducing worm. It scans for either software vulnerabilities (such as the notorious Windows EternalBlue) that would allow its automatic installation or for logins that it can brute-force, which 'guesses' the correct name and password after running through a series of possible combinations. It targets servers with software including ElasticSearch, SqlServer, Hadoop, Redis, Weblogic, ThinkPHP, and Spring.
PsMiner, which is modular, could be extensible for other attacks but is limiting itself to dropping XMRig, the well-known and much-abused Monero-mining program. While the installation process is taking place, PsMiner disguises these activities as Windows updates, complete with scheduled tasks that re-launch it every ten minutes, if it stops for any reason. Malware experts find no significant symptoms and limited indicators of compromise (IOCs) with PsMiner that would signal to servers' administrators that this threatening activity is occurring.
Canceling an Open-Source Mining Attack
XMRig's code is available for any threat actors' modification and misuse, and PsMiner includes module support that can broaden its features arbitrarily, meaning that PsMiner's campaign could launch attacks besides the ones that malware researchers are confirming. If using no more than Monero-mining features, however, PsMiner can performance and possible hardware damage issues, besides compromising passwords that could be of future use to its threat actors. However, traditional security standards are excellent defensive options against PsMiner attacks, and include:
- Using stronger, unique passwords with mixed numbers and letters and varying casings will keep brute-force attack from succeeding.
- Updating software for the previous list of vulnerable server utilities particularly, will remove all but 'zero-day' vulnerabilities, which make up the extreme minority of exploitable attacks for most threats.
Server admins also can scan their sites with appropriate anti-malware tools regularly that should detect the additions of either of the noted threats and remove PsMiner and XMRig after identification. No significant anti-scanning or detection features appear in PsMiner's payload or delivery mechanisms.
PsMiner attacks the weakest and most vulnerable of target servers for reaping what amounts to less than even one Monero coin currently. If administrators keep alert to potential intrusions and security protocols, its profits should continue being on the low end.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.