rTorrent Client Exploited to Mine Monero Cryptocurrency Thanks to XML-RPC Misconfiguration Vulnerability.
According to the findings of F5 Networks Inc.’s threat researchers, cybercriminals have managed to make $3,900 in a new malicious cryptomining campaign. The new scheme involves installation of currency-mining software on computers that run on Unix-like OS through exploiting the famous BitTorrent client rTorrent.
In their investigation, the researchers have observed that attackers are ‘actively exploiting’ rTorrent application because of undisclosed misconfiguration vulnerability. The operation is launched primarily to deploy Monero (XMR) crypto-miner so as to mine cryptocurrency.
According to F5’s blog post, attackers are using the misconfiguration vulnerabilities present in the rTorrent client, which include the following:
· XML-RPC communication can be initiated without undergoing any authentication procedure · Direct OS command execution, which is a sensitive XML-RPC method is allowed · The vulnerability is actively exploited by scanning the web for unprotected or exposed rTorrent clients · Exploited systems are utilized for mining Monero cryptocurrency · The Tor anonymity network is hosting the malware · Tor2Web gateway is used for accessing the malware · Only 3 out of 59 mainstream anti-virus software are able to detect the malware · Evasion techniques are also employed by attackers in this campaign · Quite possibly there is a connection with last year’s Zealot Monero mining campaign
The rtorrent client is being exploited through the interface XML-RPC, which uses HTTP and XML to obtain input from remote computers and XML-RPC doesn’t need any authentication to work while it can execute shell commands directly on the operating system that runs rTorrent.
RPC-enabled rTorrent apps are now much in demand by attackers as they can exploit them to install Monero mining software. At the moment, attackers are making nearly $43 per day while the combined balance so far is $3,900, which is quite a modest sum if we compare it to previous crypto-mining campaigns.
This is not surprising that uTorrent misconfiguration vulnerability is being exploited in the wild by malicious threat actors because uTorrent client suddenly has become the lucrative gateway to mining cryptocurrencies and other scams.
In case this technique is successful, the attacker can compromise the torrent client settings and then the entire machine would be compromised through using a locally installed torrent client instead of JSON-RPC. The vulnerabilities identified by the Seattle-based security firm F5 researchers are somewhat similar to Ormandy’s findings.
F5 researchers noted that rTorrent developer “explicitly recommends” to not use RPC function on TCP sockets, which indicated that the vulnerable XML-RPC interface is not enabled by default. Moreover, the malware downloaded by the exploit doesn’t completely run but also scans infected computers for other miners and when it detects any it removes the rival miners.
Currently, it isn’t clear if there is a rTorrent update to be released to fix the vulnerabilities as the developer of rTorrent didn’t comment on this aspect. Therefore, rTorrent users need to inspect their devices for infection symptoms such as the higher amount of bandwidths and processor power being consumed, etc.
Thr F5 researchers are advising that users need to make sure that the vulnerable RPC interface is disabled until a fix is released. Users of other BitTorrent apps also need to be wary of RPC interface and disable it whenever it is possible.