Cryptocurrency miners have begun using two older and already patched vulnerabilities to compromise servers to mine the Monero digital currency.

Trend Micro researcher Hubert Lin reported a significant increase in the use of Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) starting in December. So far it’s estimated the malicious actor behind the attacks has netted about $12,000 or 30XMR.

“We believe that this is the work of a single threat actor, as the sites all point to a single malicious domain to download Monero miners, which also all point to a single Monero address,” Lin wrote.


Did you like what you read? Don’t miss any more posts by subscribing our newsletter now!


How does it work?

Initially, the process begins with a malicious HTTP request that is received in the server. If it is vulnerable to Apache Struts and DotNetNuke flaws, the malicious code injected by the request eventually leads to the downloading of a Monero miner. This attack hit rather Windows and Linux systems, but the injected request depends on target OS. Nonetheless, the same URL is shared between Apache Struts and Dotnetnuke:

Windows – hxxp://eeme7j[.]win/scv[.]ps1 leading to the download of a miner from hxxp://eeme7j[.]win/mule[.]exe (detected as TROJ_BITMIN.JU)

Linux – hxxp://eeme7j[.]win/larva[.]sh leading to the download of a miner from hxxp://eeme7j[.]win/mule (detected as ELF_BITMIN.AK)


Both systems have available patches since March and August 2017.




One Reply to “Monero crypto miner leveraging Apache Struts vulnerability”

Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *