• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 25th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

Beware; rTorrent Client Exploited to Mine Monero Cryptocurrency

March 2nd, 2018 Waqas Security, Malware 0 comments
Beware; rTorrent Client Exploited to Mine Monero Cryptocurrency
Share on FacebookShare on Twitter

rTorrent Client Exploited to Mine Monero Cryptocurrency Thanks to XML-RPC Misconfiguration Vulnerability.

According to the findings of F5 Networks Inc.’s threat researchers, cybercriminals have managed to make $3,900 in a new malicious cryptomining campaign. The new scheme involves installation of currency-mining software on computers that run on Unix-like OS through exploiting the famous BitTorrent client rTorrent.

In their investigation, the researchers have observed that attackers are ‘actively exploiting’ rTorrent application because of undisclosed misconfiguration vulnerability. The operation is launched primarily to deploy Monero (XMR) crypto-miner so as to mine cryptocurrency.

According to F5’s blog post, attackers are using the misconfiguration vulnerabilities present in the rTorrent client, which include the following:

· XML-RPC communication can be initiated without undergoing any authentication procedure

· Direct OS command execution, which is a sensitive XML-RPC method is allowed

· The vulnerability is actively exploited by scanning the web for unprotected or exposed rTorrent clients

· Exploited systems are utilized for mining Monero cryptocurrency

· The Tor anonymity network is hosting the malware

· Tor2Web gateway is used for accessing the malware

· Only 3 out of 59 mainstream anti-virus software are able to detect the malware

· Evasion techniques are also employed by attackers in this campaign

· Quite possibly there is a connection with last year’s Zealot Monero mining campaign

The rtorrent client is being exploited through the interface XML-RPC, which uses HTTP and XML to obtain input from remote computers and XML-RPC doesn’t need any authentication to work while it can execute shell commands directly on the operating system that runs rTorrent.

Related: Beware; Microsoft Word Maybe Used for Cryptojacking Attacks

RPC-enabled rTorrent apps are now much in demand by attackers as they can exploit them to install Monero mining software. At the moment, attackers are making nearly $43 per day while the combined balance so far is $3,900, which is quite a modest sum if we compare it to previous crypto-mining campaigns.

rTorrent Client Exploited to Mine Monero Crypto-currency Thanks to XML-RPC Misconfiguration Vulnerability.

Mining addresses balance (Image credit: F5)

This is not surprising that uTorrent misconfiguration vulnerability is being exploited in the wild by malicious threat actors because uTorrent client suddenly has become the lucrative gateway to mining cryptocurrencies and other scams.

Recently, researcher Tavis Ormandy from Google’s Project Zero discovered multiple vulnerabilities in uTorrent. These vulnerabilities were linked with the way JSON-RPC handled calls while the victim accessed an attacker’s website as it led to the implementation of a malicious JavaScript, which causes a DNS rebinding attack to receive authentication code from the webroot folder.

In case this technique is successful, the attacker can compromise the torrent client settings and then the entire machine would be compromised through using a locally installed torrent client instead of JSON-RPC. The vulnerabilities identified by the Seattle-based security firm F5 researchers are somewhat similar to Ormandy’s findings.

F5 researchers noted that rTorrent developer “explicitly recommends” to not use RPC function on TCP sockets, which indicated that the vulnerable XML-RPC interface is not enabled by default. Moreover, the malware downloaded by the exploit doesn’t completely run but also scans infected computers for other miners and when it detects any it removes the rival miners.

Currently, it isn’t clear if there is a rTorrent update to be released to fix the vulnerabilities as the developer of rTorrent didn’t comment on this aspect. Therefore, rTorrent users need to inspect their devices for infection symptoms such as the higher amount of bandwidths and processor power being consumed, etc.

Thr F5 researchers are advising that users need to make sure that the vulnerable RPC interface is disabled until a fix is released. Users of other BitTorrent apps also need to be wary of RPC interface and disable it whenever it is possible.

Related: Hackers Compromise Tesla Cloud Server to Mine Cryptocurrency

  • Tags
  • Bitcoin
  • BitTorrent
  • CoinHive
  • Cryptocurrency
  • Cryptojacking
  • Cyber Crime
  • hacking
  • Malware
  • Monero
  • Russia
  • security
  • uTorrent
Facebook Twitter LinkedIn Pinterest
Previous article Github hit by 1.35 Tbps DDoS attack; the largest ever
Next article Malware steals data directly from the device to hack Facebook account
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
SonicWall hacked after 0-day flaws exploited by hackers

SonicWall hacked after 0-day flaws exploited by hackers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Man jailed after attempting to buy 3-year-old girl on dark web
Cyber Crime

Man jailed after attempting to buy 3-year-old girl on dark web

41
SonicWall hacked after 0-day flaws exploited by hackers
Hacking News

SonicWall hacked after 0-day flaws exploited by hackers

108
Massive privacy risk as hacker sold 2 million MyFreeCams user records
Cyber Crime

Massive privacy risk as hacker sold 2 million MyFreeCams user records

151

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us