New self-replicating malware is forcing both Windows and Linux servers to mine the cryptocurrency Monero

New malware has been at work on both Linux and Windows servers since the beginning of December, and so far it had not been detected.

This malware, a worm developed in Golang and spread using Bash scripts ( and PowerShell (ld.ps1), is dedicated to self-replicate and infect servers with copies of XMRig, a cryptocurrency mining software Monero.

Monero is a cryptocurrency that, due to its privacy characteristics (which make it difficult to track its movements), has become the preferred choice of cybercriminals.

Technically, XMRig is not malware: it is only an open source tool to facilitate access to the crypto mining of this currency.

But while it is used many times for legitimate purposes, this software has been quickly adopted by cybercriminals as a way to force outside teams to 'mine' for their benefit.

Why the cryptocurrency Monero has become the protagonist of one of the most notorious kidnappings in recent times

How it infects and how to avoid it

A cybersecurity expert from the Intezer company, Avigayil Mechtinger, has been the one who has sounded the alarm after investigating its operation.

The malware in question accesses the servers using brute force attacks on public access services like MySQL, Tomcat, Jenkins or WebLogic.

This malware is known is being actively maintained, since its remote update has been detected using its command and control system.

According to Mechtinger, antivirus such as VirusTotal are unable to detect, for now, this threat:

"The fact that the worm code is almost identical for the PE (Windows) and ELF (Linux) binaries, and that despite this the latter [y su correspondiente script Bash] not detected yet in VirusTotal, it shows that threats to Linux are still underestimated on most platforms security and detection ".

Experts recommend avoiding this new malware by combining three measures:

  • Constant update of antivirus systems.

  • Use of strong passwords.

  • Do not unnecessarily expose vulnerable services on the Internet.

Via | BleepingComputer

Image | Poster vector created by macrovector -