Light Dark
October 2, 2017 By Larry Loeb 2 min read

Security firm ESET has sounded the alarm about a malware threat that has been very profitable for threat actors since around May 2017: mining cryptocurrency.

Exploiting Vulnerable Servers

According to We Live Security, a legitimate open source Monero central processing unit (CPU) miner called xmrig was released in May. Threat actors then copied the code and made very few changes to develop the malware. They added some hardcoded command-line arguments representing the attacker’s wallet address as well as the mining pool URL. The fraudsters also shut down any other xmrig that may have been running to eliminate competition for CPU resources.

The threat actors then scanned the web for unpatched servers vulnerable to CVE-2017-7269. This vulnerability enables attackers to cause a buffer overflow in the WebDAV service that is part of Microsoft IIS version 6.0, the web server in Windows Server 2003 R2.

Microsoft ceased supporting ISS in 2015, but an update designed to stop WannaCry outbreaks was made available in June 2017 for older systems. However, it is impossible to ensure that all users will patch the vulnerable servers because the automatic update mechanism may not always work smoothly.

The payload in the malware is an alphanumeric string that simply replaces the one that came with xmrig. This string executes the miner rather than the calculator that is launched in the legitimate version.

Attacks Coming in Waves

As noted by SecurityWeek, attacks on these servers seem to come in waves, possibly indicating that the threat actors are regularly scanning for vulnerable servers. These scans have been linked to two IP addresses located in an Amazon cloud.

At the end of August, the attack was still active, but things slowed down greatly in the beginning of September. No new infections have been observed since the beginning of the month. There is no persistence method in the code and the cryptocurrency miner botnet has been gradually losing worker machines.

Patching the vulnerable servers is the obvious mitigation here, but due to the age of the systems, users may not be able to or know how.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

January 30, 2025

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

January 29, 2025

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature