Cryptojacking is becoming more serious and complex


According to latest reports, cryptojacking attacks are becoming more serious and complex, aiming at both database and application servers. The newest attack, named RedisWannaMine and spotted by security company Imperva, is probably just a start.

Cryptojacking has always been popular with cybercriminals as an easy way to fund their operations and with the recent spike in cryptocurrency value, both the popularity as well as the complexity of such attacks has been raised to a whole new level. These attacks usually use malware that installs cryptocurrency mining software on targeted systems.

According to a report published by the security company Imperva, the recent attack, named RedisWannaMine, which is based on on the open source Redis in-memory data structure store and EternalBlue exploit used by WannaCry, is a combination of worm-like attack and more advanced exploits in order to increase the infection rate and cryptocurrency mining.

According to the blog post, the RedisWannaMine uses a rather complex downloader with a shell script file which installs a lot of packages by using standard Linux package managers like apt and yum and then downloads, compiles and installs the Masscan tool from a Github repository, which is basically described as a tool which can be used as a “TCP port scanner, spews SYN packets asynchronously, scanning entire internet in under five minutes”.

The same script launches process, which discovers and infects Redis servers and in some cases, it also launches process which infects the system with cryptominer malware.

What makes it even more complex is that it launches another scanning process called, which uses Masscan tool to infect publicly available Windows servers with a version of the SMB protocol. The version of this SMB vulnerability script was used to create the Eternal Blue exploit, used with the WannaCry attacks in May last year. When it finds the proper and vulnerable server, it uses to infect it and create VBScript file which downloads a cryptominer malware admissioninit.exe executable and run it.

The Imperva also added that all is not that bad as there are ways that businesses can protect their servers by:

  • Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.
  • Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule.
  • Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use this awesome tool to do check it.

You can check out the full report over at the blog post.


Previous articleWhitepaper: Five reasons to collaborate in the cloud
Next articleWhitepaper: Oracle – the future of cybersecurity
Slobodan Simic is foremost an IT enthusiast who discovered his knack for writing, which lead to becoming both an IT journalist and later an Editor for a number of publications. He has been covering anything from the consumer- and professional-oriented hardware to software markets and networks. With a focus on chasing down leads, making sure that fresh content is ready for publishing, as well as keeping up with the evergrowing and evolving IT world, writing has become more of his passion rather than just a job.