PsMiner propagates by exploiting known vulnerabilities and weak credentials

• ‘PsMiner’ is written in the Go language and includes worm-like capabilities.
• The malware spreads by exploiting known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SQL server.

360 Total Security team uncovered a new Monero mining malware dubbed ‘PsMiner’ that is written in the Go language and includes worm-like capabilities.

How does it propagate?

• The malware spreads by exploiting known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SQL server.
• It also spreads using weak system credentials.

What are its capabilities?

• PsMiner can brute-force the weak or default system credentials by its password cracking module.
• After successful exploitation of vulnerabilities or weak credentials, the malware can execute Powershell command in the victim’s machine using cmd.exe.
• The executable will download a ‘WindowsUpdate.ps1’ malicious payload, which will drop the Monero miner.
• PsMiner will then use the open source Xmrig CPU miner to mine for Monero cryptocurrency.

Worth noting - 360 Total Security team noted that PsMiner acquired a total of about 0.88 Monero coins in just 2 weeks.

How to stay protected?

• In order to stay protected from such malware, it is highly recommended to patch all known vulnerabilities and users should upgrade to the patched versions.
• It is also recommended to reset all default passwords to strong, unique, and complex passwords.
• Users must ensure passwords are periodically rotated and all systems are up-to-date.
• It is always best to install good antivirus software.

“PsMiner exploits a variety of high-risk vulnerabilities, as of now, the relevant manufacturers have completed the repair, it is recommended that affected users upgrade the relevant server components as soon as possible,” 360 Total Security stated in their blog.