Criminals Hijack Linux Servers Through SambaCry Exploit to Mine Monero

It would appear internet criminals favor mining Monero by distributing malware which exploits operating system vulnerabilities. Similar to the WannaCry ransomware attack, there is now a SambraCry attack. This particular exploit is leveraged against Linux servers, which are then hijacked and begin mining Monero. So far, around $5,400 worth of XMR has been mined already, albeit the official number may be much higher.

Criminals Favor Mining Monero over Bitcoin

If there is one trend among cybercriminals which as become more apparent recently, it is how they tend to mine Monero instead of other cryptocurrencies. This has nothing to do with mining Monero being “easier” compared to other coins, though. Instead, criminals favor the privacy and anonymity aspects Monero provides to them, whereas Bitcoin and others are far too transparent. As a result, it is only normal criminals attempt to mine other cryptocurrencies over time.

The latest malware attack is known as SambaCry, and seemingly only targets Linux servers. That will catch a lot of people by surprise, as Linux has been relatively free of malware and other types of nefarious attacks over the past few years. Then again, there are always certain loopholes one can exploit with relative ease, and Linux is no exception. More specifically, the criminals use an undisclosed exploit found on Linux machines with a Samba installation.

Considering how criminals can exploit this vulnerability through the SMB protocol, it will be quite interesting to see how and when it can be resolved. It is not hard to see the correlation between this particular exploit and the EternalBlue exploit developed by the NSA. However, that exploit only seemed to work against Windows machines. Researchers have dubbed this new vulnerability “EternalRed,” which is quite an interesting decision. It remains unclear if it has ties to EternalBlue, though.

Moreover, it appears the first EternalRed attack took place on May 30th, which means these attacks have been going on for nearly two weeks now. It is certainly possible for anyone leveraging this exploit to take over full control of the Linux server in question. This also means the assailant can install malicious software on said server. For some reason, the current wave of attacks revolves around installing software capable of mining the Monero cryptocurrency.

According to the official report, the assailants earned around $5,400 in Monero from their ventures so far. That number may seem rather small compared to most attacks in recent months, but it is important to remember there is no ransom demand involved. Instead, the criminals simply install the necessary tools on the server and let it generate XMR along the way. This mining process is quite resource-intensive, though, and the average Linux server does not provide enough computing power to make it even remotely profitable. However, given enough time, things may start to change for the better.

What surprised researchers quite a bit if how the attackers hardcoded their XMR wallet address inside the mining software’s source code. This address was not shared with the public at this time, albeit the recent report shows around 98 XMR has been mined successfully. It will be interesting to see how this situation evolves, as criminals are always looking for new ways to create additional revenue streams.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.