MassMiner Cryptocurrency Worm

MassMiner cryptocurrency mining worm that targets vulnerable web servers. It was first observed in late 2017 and is more sophisticated than most cryptomining malware, combining a number of exploits to compromise a target device.

Threat ID:: CC-2350
Category:: Worm
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 9 May 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Previously infected devices are used to deliver MassMiner. A fork of the MassScan IP scanner is used to scan a list of private and public IP ranges and identify vulnerable web servers.Once a suitable device has been detected, MassMiner will attempt to gain access; either through a brute-force attack or by exploiting three vulnerabilities depending on the type of server.

Once installed, MassMiner will perform a number of tasks to disable security services and ensure persistence before initiating communications with its command and control server. It will then initiate a Monero module and begin mining tokens. Some versions of MassMiner will also install the Gh0st backdoor.

For further information:

CVE-2017-0143 - SMB Vulnerability
CVE-2017-5638 - Apaches Struts Vulnerability
CVE-2017-10271 - Oracle WebLogic Vulnerability

Remediation advice

To prevent and detect an infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

Status

CVE-2017-0143

Status

CVE-2017-5638

Status

CVE-2017-10271

Last edited: 17 February 2020 12:47 pm