Recently, it has become clear that PhotoMiner worm gets distributed via vulnerable FTP servers, infects public Web pages, spreads to Windows computers and sets up a mining process for the Monero crypto-currency.
The worm was discovered by the security company GuardiCore in January, this year, when a short summary of its abilities was published. Meanwhile, the company found that the worm was created in early December 2015, and received several updates after its write-up in January.
Presently, there are two versions of PhotoMiner spreading over the Internet, however, GuardiCore says that both function in the same way, with very tiny differences.
The infection mechanism of PhotoMiner is a bit complex. The first stage requires the malware coder to find an infected FTP server to unleash his worm. Actually, this is easy because there are over 20.3 million servers with open FTP ports connected to the Internet. As soon as PhotoWorm reaches an FTP server, it will scan for public HTML folders, usually used for hosting Web pages. The worm alters the source code of these pages in order to deliver another copy of itself.
PhotoMiner achieves this by embedding an iframe tag inside each page, with the source attribute set to “Photo.scr”, hence the malware’s name of Photo-Miner. Currently, the iframe prompts the user with a popup, asking if he wants to run the file. Running the file infects him with the PhotoMiner worm.
Aftert that PhotoMiner will start two Windows processes. The first one is for mining Monero crypto-currency, and the second is for spreading itself to nearby computers. In case any antivirus products detect the worm, they clean out only the worm process, while the Monero mining process remains on the infected computer after previously gaining boot persistence.
PhotoMiner worm process uses Windows tools like ARP and NET VIEW to scan the local network for other computers, including some other FTP servers.
First, the worm uses brute-force attacks over SMB to infiltrate other machines, and then the WMI scripting utility to copy itself on the vulnerable workstations. Currently, the infection process comes full circle, and PhotoMiner will look for other computers or for public HTML folders to spread again.
On infected devices, PhotoMiner uses different accounts from the MoneroPool.com service to mine for Monero crypto-currency. These accounts are stored inside configuration file received from a C&C server.
“Infecting websites through unprotected FTP servers is a classic attack that seems to be gaining popularity once again. By creating an infection that is hard to disrupt, the writers of PhotoMiner have created a botnet that is undoubtedly here to stay,” the GuardiCore security team says.
“A non-secure service facing the internet, such as an unprotected FTP server, is one of the most common ways attackers use to first penetrate an organization. Attackers currently using their botnet for mining may in the future use stolen credentials and infected machines to move laterally inside the data center and compromise the most valuable assets of the organization,” the security company concluded.