Home Malware Programs Malware MassMiner

MassMiner

Posted: October 4, 2018

MassMiner is a cryptocurrency-mining Trojan and worm that compromises networks and external servers through various methods, including abusing built-in software vulnerabilities and brute-forcing login credentials. Besides the typical activities of mining cryptocurrency and duplicating itself, MassMiner also takes multiple steps for disabling an infected PC's default security features. Respond to signs of infections by rebooting your computer in Safe Mode and removing MassMiner through appropriate anti-malware solutions and, then, double-checking your network and security settings.

A Mining Operation that Seeps Through Every Port

The cyber-security industry's research into an active family of worms is paying dividends in determining how the cryptocurrency-mining threats of 2018 are finding their way to new computers. MassMiner, which consists of multiple versions and variants, uses specialized, scripted exploits that are specific to a range of environments for compromising its victims. Once it achieves system access, MassMiner also represents a likely danger to the PC's overall state of security since malware experts also confirm it's attacking various, standardized security services.

Besides spreading externally, MassMiner also creates copies of itself for infecting any PCs that are on a non-secure local network. Its remote server-based methods for propagating are variable highly, depending on the nature of the target, and include taking advantage of the Windows Server Message Block and the Apache Struts vulnerabilities. Microsoft SQL servers also enjoy the 'privilege' of being subjected to brute-force attacks that install MassMiner by cracking non-secure logins. MassMiner's abuse of the MassScan port-scanning tool also is notable and can detect any exploitable, open ports across a comprehensive range in a matter of minutes.

Like every cryptocurrency-mining Trojan, MassMiner's motivation is hijacking the infected machine's hardware resources for creating money like Bitcoins or Monero for the threat actor's wallet. However, as part of guaranteeing its system persistence, malware analysts also conclude that MassMiner is dismantling different security features systematically. Some brands of anti-virus products and the Windows firewall are specific targets, which MassMiner stops via CMD commands.

Pulling Your PC Out of a Mass Mining Operation

MassMiner's statistics are showing that its campaign is global and indiscriminate relatively, although current trends emphasize a slightly higher percentage of targets inside of China and Venezuela. Although MassMiner does use a Command & Control server for handling its updates and configuration settings, malware experts caution that it doesn't require such a connection and is capable of operating on a default config even if the criminal's server infrastructure becomes inactive. Additionally, at least one variant of MassMiner is including some extra, threat-downloading features that it's using for dropping Gh0st, a backdoor Trojan that dates as far back as 2014.

SQL server admins should avoid using default passwords or account names that could be at risk from brute-force attacks. All server administrators and PC users in general, also, should install security patches as they become available – and readers should note that the majority of MassMiner's favored vulnerabilities are fixable by the appropriate updates. Unusual system resource spikes, problems using the Windows Firewall or your preferred AV products, and the presence of new Scheduled Tasks are some of the anticipated symptoms of an infection. However, any credible anti-malware products that still are active should have no issues with uninstalling MassMiner.

MassMiner's goal of making passive revenue stream is unoriginal, but one can't say the same for the work that its authors put into how it reproduces. A worm that attacks PCs from multiple angles requires an equivalent quantity of tight security countermeasures for defeating. Fortunately, experienced server administrators, already, should be doing all of the above precautions in the first place.

Loading...