Thousands of infected FTP servers net attackers $88k in cryptocurrency

Share this…

Targets foot hardware and electricity costs of mining Monero coins. Attackers are draining the CPU and power resources of thousands file transfer protocol servers by infecting them with malware that surreptitiously mints the relatively new crypto currency called Monero, researchers said.

A notable percentage of the 3,000 or so infected servers are powered by Seagate Central, a network-attached storage device that allows users to remotely retrieve files using FTP connections, according to a report published Friday by researchers from antivirus provider Sophos. The Seagate device contains a weakness that allows attackers to upload malicious files to any device that has been configured to allow remote file access, the report said. Once users inadvertently click on the malicious files, their systems are infected with Mal/Miner-C, the malware that mines the Monero coins.


Sophos Senior Threat Researcher Attila Marosi estimated that Mal/Miner-C has already mined Monero coins valued at 76,599 Euros (about $88,347) and has the ability to earn about $481 each day. While new crypto coins sold on the open market don’t always fetch their entire estimated value, the earnings are nonetheless significant, since virtually all the hardware and electricity costs are borne by the people hosting the infected servers. The researcher went on to calculate that the infected servers comprised about half of the pool. The estimate was based on the infected servers having the capacity to generate 431,000 hashes per second when mining Monero coins, while the overall pool as measured by was 861,000 hashes per second. That translated to about 2.5 of the entire mining community.

Just add social engineering

The malware has no known abilities to spread automatically. Instead it takes advantage of FTP servers that allow anonymous users to upload to a public folder. As it turns out, Seagate Central devices allow such anonymous usage whenever remote access has been enabled, a setting that Marosi said allowed them to host much of the malware found. Attackers who found such servers uploaded a file that was disguised to look like a screensaver installer. When end users clicked on it, their systems were infected.

Over the past six months, Sophos has seen about 1.7 million Mal/Miner-C detections from about 3,000 different IP addresses. The large number of detections is the result of malware running in multiple directories. Marosi also scanned the Internet and found about 2.1 million IP addresses actively hosting FTP servers. Of those, 7,263 servers had write access enabled and 5,137 were hosting Mal/Miner-C files.

“More than 70 percent of the servers where write access was enabled had already been found, visited and ‘borrowed’ by crooks looking for innocent-sounding repositories for their malware,” the Sophos report stated. “If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.”