$75,000 of Monero Cryptojacked Via Flaw in Weathermap Plugin

The malicious code has been found in computers in Japan, Taiwan, China, India, and the US.

An ongoing hack which surreptitiously mines Monero (XMR) from people’s computers has made the perpetrators almost 75,000 USD worth of the cryptocurrency, according to Bitcoinist. Linux servers in Japan, Taiwan, China, India, and the US are being targeted by the malicious code.

The hack was discovered by a Japanese IT security company called Trend Micro. It found that two Monero wallets are receiving funds from the operation, and they held 74,677 USD in cryptocurrency as of the 21st of March 2018.

The malicious code is called watchd0g.sh. It takes advantage of a vulnerability in a plugin called Weathermap, which is used in the popular Cacti open-source graphing programme. Once installed, it modifies some of the system’s technical parameters to the recommended values for mining Monero. The code is executed every time the computer is turned on, runs every three minutes, and will automatically re-download if deleted.

After changing the parameters, it downloads a file called dada.x86_64, which is a modified XMRig miner.

When used legitimately an XMRig miner has a configuration file requiring parameters to be set – data such as the Monero wallet and password of the user, maximum CPU usage, mining server, and so on. Trend Micro found that the malicious miner is modified so that the parameters are pre-configured, and the command-line display is not visible.

The attack is ongoing. Trend Micro recommends that data from the Cacti programme be kept “internal to the environment”, that systems be kept updated with patches, and a “proactive incident response strategy that includes actively hunting and responding to threats”. It also noted that the intrusions target a weakness in the Linux operating system for which a patch has been available for nearly five years.

Monero is a cryptocurrency designed to be both completely anonymous and easy to mine. This has led to hackers secretly embedding mining codes into websites and applications, such as happened to Facebook Messenger in December. This new crime is known as cryptojacking.

Security issues aside, Monero is a popular coin, with a market capitalisation of almost 3 billion USD.

Got a news tip? Let Us Know