Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 180: Understanding the Risk of MassMiner Malware
Reference Number ACG-CSB 012220180
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
MassMiner is a new cryptocurrency-mining malware that use worm like capabilities to spread through multiple exploits. First, to find a vulnerable system, MassMiner uses a reconnaissance tool called MassScan which can scan the internet in under six minutes. The malware looks for systems that still contain these three vulnerabilities such as the WebServer Exploit, EternalBlue, and Apache Struts Exploit.
MassMiner malware is described as a worm targeting servers. It is an exceptional malware infection and it is capable of transmitting via multiple distribution channels. At first, the MassMiner worm will attempt to spread over the local network, but will also try to distribute itself across the wider Internet.
Once it has infected a server, the MassMiner will attempt to gain persistence and set up mechanisms to avoid detection. MassMiner will make copies of itself in the startup folder and it will also disable the Windows firewall and search for other vulnerable servers that it can infect with an executable downloaded from a command-and-control server.
After the firewall is turned off, a configuration file is downloaded from the Command & Control (C&C) server that specifies which server to get updates from, the executable to infect other machines with, and the wallet address to send the mined Monero cryptocurrency. The mining process is carried out by the malware utilizing the popular XMRig Monero miner.
Similarly to WannaMine and WannaCry infections, MassMiner also takes advantage of the old EternalBlue vulnerability, found in the Windows SMB service. Just like any other mining-malware, MassMiner worm will also mine crypto-currencies. For this objective, the malware will greedily exploit computer resources. However, MassMiner malware has two goals. The first one is the crypto-mining process, and the second one is the installation of a Gh0st backdoor program.
All PNP personnel as well as the public are advise to follow the tips in order to avoid the risk of MassMiner Malware:
• Regularly update your software and patch vulnerabilities;
• Install add-ons that have been specifically designed to block crypto-miners from entering your device;
• Implement network system monitoring to detect excessive resource utilization.
For additional information, please refer to the following websites:
POINT OF CONTACT