Then, innocent websites hosted alongside the FTP servers are engineered to infect their visitors with malware. First, insecure FTP servers over the world are compromised. Over time, PhotoMiner added new capabilities including a unique multi-stage infection mechanism. The second variant was released Februand quickly became the dominant version we can observe in the wild. The first variant was compiled on Decemand included the core miner and basic propagation abilities. Till today, we’ve seen two different variants of PhotoMiner and over a dozen versions, indicating a rapid pace of evolution. Since its first release, the malware has evolved rapidly. Usually, uploading files to a vulnerable FTP server would go unnoticed in organizations but our Sensor Network identified an anomalous behaviour where identical incidents continued to pile up, arriving from all over the world. On January 10 2016, GuardiCore Global Sensor Network detected an automated attack uploading suspicious files to FTP hosts. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware. We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. Over the past few months, we’ve been following a new type of worm we named PhotoMiner.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |