Another day, another Monero ming scam – This one, researchers claim is the biggest and most malicious cryptomining campaign to hit Jenkins CI servers.
Profitable cryptocurrency mining is currently the fad among hackers and cybercriminals. The sad part is that the scam is performed at the expense of innocent users’ computer processors as the mining campaign requires immense space and hardware resources. Usually, we hear about hackers tricking users into entering login credentials in order to compromise the computer and use the processor or some hackers choose to hack exchanges for mining cryptocurrencies.
However, Check Point researchers have identified a new, highly malicious campaign that is being referred to as the biggest mining operations to date. In this campaign, hackers are targeting the famous Java-based open source automation server Jenkins CI servers for deployment of malware. Researchers believe that through a secret mining operation, hackers have managed to mine cryptocurrency worth millions of dollars (approx. $3 million and £2.34m worth of Monero cryptocurrency).
Dubbed as JenkinsMiner, the campaign has the imprint of China all over it. It has been active since last 18 months and it is designed to target different versions of Microsoft Windows. XMRig miner is installed on Windows-based computers to generate cryptocurrency and hackers have now shifted their focus on Jenkins CI server to make more profits. JenkinsMiner is quite similar to RubyMiner because both malware negatively affects servers leading to slowing download times and even resulting in complete Denial of Service or DoS if the attack is strong enough.
The campaign involves sending 2 simultaneous requests to the CLI interface. The crypto miner operator then starts to exploit Jenkins Java deserialization implementation vulnerability, which is classified as a CVE-2017-1000353 vulnerability. It is caused by the absence of a comprehensive process of verifying the serialized object due to which just about any serialized object gets accepted.
After the initiation of first session request, the second crafted request is sent after matching it to the session header. This request contains two key objects, the capability object that informs the server about client capabilities and the command object that contains the Monero miner payload. The injection code then comes into the picture as it enters the Jenkins server at this point. By sending the Start command, the miner is executed and thus, begins the process of cryptocurrency generation.
In this operation, a combo of XMRing miner and a RAT (remote access Trojan) are used for targeting vulnerable computers across the globe. In their blog post, Check Point researchers noted:
“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers.”
It is also observed that with each campaign, the malware undergoes various updates and the mining pool also gets modified. Though this is a well-operated and organized campaign in which many mining-pools are used for generation and collection of cryptocurrency but it is evident that only one wallet is used by the operators for depositing the amount.
It must be noted that RubyMiner malware was also discovered by Check Point’s research team in January. This malware targeted Windows and Linux servers and ran out-dated software for installing the XMRing crypto miners and compromise computers for mining digital currencies.