google-site-verification: google30a059f9a075f398.html

New RubyMiner Botnet – CryptoMining Attack Targets Web Servers Globally

Rubyminer cryptominer target web server globally mines Monero
Rubyminer cryptominer target web server globally mines Monero

CyberWisdom Safe Harbor Commentary:

Today I came across this story from that highlights security researchers have found that a new malware family is targeting global web servers in an attempt to add it to an encrypted and mined botnet. The threat, dubbed RubyMiner, was discovered last week when it launched a massive attack on Web servers in the United States, Germany, the United Kingdom, Norway, and Sweden. Check Point revealed last week that within a day, the attacker behind the malware was trying to sabotage nearly a third of the world’s networks.

The purpose of the attacks on Windows and Linux web servers is to install Monero miners by exploiting the old vulnerabilities released and patched in 2012 and 2013. Instead of seeking an invisible compromise, attackers try to compromise a large number of vulnerable HTTP web servers as soon as possible.

Infections target vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails. Despite a large number of compromises observed, only 700 servers worldwide were successfully enslaved in a 24-hour attack.

The attack on Ruby on Rails Attempt to exploit CVE-2013-0156 Remote Code Execution Vulnerability. Pass a base64-encoded payload in the POST request, expecting the Ruby interpreter on the web server to execute it.

The payload is a bash script that adds a cronjob that runs once an hour and downloads a robots.txt file containing a shell script that is designed to get and execute encrypted miners rather than checking that the host has been activated before. Not only the mining process, but the entire download and execution run once an hour.

“This may allow an attacker to immediately start antivirus software.If an attacker wants to end the process on the infected machine, all that needs to be done is to modify the robots.txt file on the infected web server to be inactive Within one minute, all machines that re-download the file will receive the file without the encrypted miner, “Check Point said.

Deployed Malware – On All Infected Servers – XMRig, a Monero miner who exploited vulnerabilities in Microsoft IIS 6.0 (Web server in Windows Server 2003 R2) in September 2017.

One area that has been used in the newly observed infection campaign is, which was previously used in an attack in 2013. The attack also misused Ruby on Rails vulnerabilities and shared some of the common features of current events, but researchers were not able to pinpoint any further connection between the two, especially since their purpose may seem different.

Read more…

A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered. Read more… Via

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » New RubyMiner Botnet – CryptoMining Attack Targets Web Servers Globally