PHP Weathermap Vulnerability to Install Cryptocurrency Miner on Linux Servers[gbhackers]
by CIRT Team
An active cryptocurrency mining campaign targeting Linux servers via PHP Weathermap Vulnerability to deploy cryptocurrency mining malware. The campaign uses an outdated security flaw with “Network Weathermap” that allow a remote attacker to inject arbitrary codes in the server.
In the current campaign, cybercriminals deploy the XMRig miner as final payload in the target server. The attack primarily focuses on Japan, Taiwan, China, the U.S., and India.
Security researchers from TrendMicro detected the active campaign cryptocurrency-mining campaign, according to researchers it associates with previous JenkinsMiner malware campaign.
How Cryptocurrency Mining Campaign Infects
With the cryptocurrency mining campaign attackers exploiting the outdated vulnerability CVE-2013-2618 in Cacti’s Network Weathermap plug-in that used by system administrators to visualize the network activity.
The persistent cross-site scripting vulnerability resides with “/plugins/weathermap/configs/conn.php” and attackers uses the vulnerability to execute the scripts remotely and downloads the watchd0g.sh file from attackers server.
The main purpose of watchd0g.sh is to download the final payload dada.x86_64 from the same server where the watchd0g.sh is downloaded. The final payload is the modified XMRig miner.
The configuration file “config.json” that executed along with XMRig contains the algorithm used for mining, maximum CPU usage, mining server, and login credentials of Monero wallets.
Researchers found two unique usernames matching Monero wallets and they said as of March 21, 2018, attackers mined approximately 320 XMR or about $74,677 based on the two wallets.
For more, click here.