Microsoft servers are exploited to mine Monero

by Jake Doevan - -

Cryptocurrency mining can be an expensive investment because it takes a huge volume of computing power. Thus, hackers began to apply malware which steals computing power in order to hijack to generate profits.

Microsoft Monero

Cybersecurity researchers at ESET detected the malware which compromised hundreds of Windows servers with a cryptocurrency miner. As a result, the malware allowed them to generate over $63,000 profit in less than three months.[1]

ESET reported that attackers adjusted modifications to legitimate access source Monero mining software and installed the miner on unpatched Windows servers using a bug in IIS 6.0.

The cybercriminals have been mining Monero since at least May.

The vulnerability used by hackers was revealed in March. The bug is located on the web server service and it is visible from the Internet, which means that it is especially susceptible to exploitation.

According to researchers:

The payload comes necessarily in the form of an alphanumeric string. The attackers replaced the string leading to the execution of the Windows calculator from the proof-of-concept with one leading to the download and execution of their malicious payload.

The attackers compromised unpatched devices running Windows Server 2003 in order to turn them into a part of a botnet and generate cryptocurrency Monero which offers untraceable transactions.

Monero, unlike Bitcoin, is completely anonymous. However, Monero has a total market cap of approximately $1,4 billion, compared to Bitcoin’s over $100 billion. But still, hackers love Monero due to its higher level of privacy.

In addition, Monero is so popular among attackers due to its use of proof-of-work algorithm – CryptoNight.

This recently discovered miner was first seen in the wild in May this year.

It is worth mentioning that this is not the first malware mining Monero. Earlier this year, security researchers at Proofpoint discovered malicious cryptocurrency miner dubbed Adylkuzz. The miner used an EternalBlue exploit in order to compromise unpatched Windows systems and mine Monero. The ExternalBlur exploit was established by the NSA, which was disposed in April.[2]

According to the cybersecurity researchers at ESET unpatched vulnerabilities can cause a lot of issues.
In addition, the BondNet botnet malware was also discovered by GuardiCore researchers. Similarly, BondNet was compromising Windows servers in order to mine Monero.[3]

Sometimes it takes very little to gain a lot, and this is especially true in today’s world of cybersecurity, where even well-documented, long-known and warned about vulnerabilities are still very effective due to the lack of awareness of many users.

About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook