PhotoMiner is a worm that propagates with the help of vulnerable FTP servers, infects public Web pages, spreads to Windows computers and sets up a mining process for the Monero crypto-currency.
Security firm GuardiCore discovered the worm this past January when it also published a quick summary of its abilities. In the meantime, the company found that the worm was created in early December 2015, and received several updates after its.
There are currently two different versions of PhotoMiner spreading over the Internet, but the company says that both function in the same way, with tiny differences.
PhotoMiner features a multi-stage infection mechanism
The infection mechanism is a bit complex. The first stage requires the malware coder to find an infected FTP server to unleash his worm. This is easy since there arewith open FTP ports connected to the Internet, and how easy is to hack them.
After PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The worm alters the source code of these pages in order to deliver another copy of itself.
PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to “Photo.scr”, hence the malware’s name of Photo-Miner.
At this point, the iframe prompts the user with a popup, asking if he wants to run the file. Running the file infects him with the PhotoMiner worm.
PhotoMiner uses 2 processes to make sure it remains on infected hosts
PhotoMiner will now start two Windows processes. One is for mining Monero crypto-currency, and the second is for spreading itself to nearby computers.
If antivirus products detect the worm, they clean out only the worm process, while the Monero mining process remains on the infected computer after previously gaining boot persistence.
The worm process uses Windows tools such as ARP and NET VIEW to scan the local network for other computers, including other FTP servers. PhotoMiner uses brute-force attacks over SMB to infiltrate other machines, and then the WMI scripting utility to copy itself on the vulnerable workstations.
At this point, the infection process comes full circle, and PhotoMiner will look for other computers or for public HTML folders to spread again.
On infected hosts, PhotoMiner uses different accounts from the MoneroPool.com service to mine for Monero crypto-currency. These accounts are stored inside configuration file received from a C&C server.
“Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay,” the GuardiCore team explains.
“A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization,” the security firm also warned.