Home Malware Programs Potentially Unwanted Programs (PUPs) RubyMiner

RubyMiner

Posted: January 17, 2018

RubyMiner is a Trojan that exploits the infected PC's resources for creating cryptocurrency for a remote attacker's wallet. Although it has no interface for the user, RubyMiner may be detectable by some of its minor symptoms, such as causing instability and bad performance in other programs. Users should have their anti-malware products eliminating RubyMiner and double-check their server software for any appropriate security updates that could prevent further attacks.

A Real Gem of a Mining Trojan

Half a year ago, malware analysts took notice of Trojan campaigns exploiting the XMRig application for making money out of its cryptocurrency 'mining' feature set. The latest iteration of this Black Hat business model, observable in the RubyMiner campaign, is attacking an enormous range of Web servers with little to no discrimination, except for searching for the presence of long-outdated vulnerabilities. RubyMiner also boasts from some extra changes to its XMRig component that differentiates it from the old versions of that program meaningfully.

RubyMiner's threat actors are using a breadth of attack scope to compensate for lack of subtlety, and use a handful of vulnerabilities dating back as long ago as 2012 to infect random Web servers around the world. A Unix-based scheduling application 'drops' the main payload: a version of XMRig that has had its five percent 'donation' to the author removed, which allows all of the Monero-based profits to go to the cybercrooks. Like any 'good' cryptocurrency-mining Trojan, RubyMiner has no victim-facing UI, and malware experts warn that any victims shouldn't assume that an infection is detectable by any visual symptoms.

Another aspect of RubyMiner that highlights its relative uniqueness is how it implements its scheduled tasks. Instead of running the mining routine on an hourly basis, RubyMiner re-downloads the compromised 'robots.txt' configuration file every time. While this downloading feature leaves a larger footprint for revealing the infection, it also lets the threat actors modify RubyMiner's behavior on the fly, including the possibility of implementing a 'turn off' or kill switch function.

Polishing Off a Gem-Inset Server Pandemic

RubyMiner's authors are running a server-based campaign that uses the ordinary 'robots.txt' component, a configuration file for searching Web robots, for accomplishing harmful feats it's not intended to do. Because all of the vulnerabilities of use in this campaign are outdated significantly, malware experts recommend updating all Web server software to eliminate the infection vectors that RubyMiner is abusing. At this time, roughly thirty percent of all Web servers around the world are targets of attempted, if not always successful, RubyMiner infections.

Because RubyMiner disguises its components as being part of the server's internal ecosystem, users may want to monitor their robots.txt file and related configuration storage containers for any unwarranted tampering. Cryptocurrency miners like RubyMiner, if left alone, may cause performance issues, or permanent hardware damage, to any individual, infected PC. However, standard anti-malware programs should experience no problems with deleting the RubyMiner's components, similarly to any other, non-server-based Trojan.

Although there's profit to find in a highly-precise and sophisticated Trojan attack, not every cybercrook operates with that degree of caution. When the threat actors are deploying Trojans like RubyMiner in the fashion of a blunderbuss or canon, subtlety is overrated.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to RubyMiner may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to RubyMiner may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts