Attackers are targeting Microsoft webservers running IIS 6.0.
The malware is a modified version of the open source Monero mining software “XMRig” that has been known to exploit vulnerabilities in Microsoft IIS 6.0.
Microsoft released a special patch in May addressing these vulnerabilities, despite the Operating System being End of Life (EoL) for over two years.
Microsoft IIS 6.0 on Windows Server 2003.
- Microsoft Patch KB4012598 needs to be downloaded and applied as it will not automatically update due to being end of life.
- Use a vulnerability scanner (such as Nessus, OpenVAS or Microsoft Baseline Security Analyser) to identify any unpatched systems.
- Ensure all affected platforms are updated with the most recent security updates.
Ensure your AV software is properly configured to automatically scan all files and file operations (including file reads, writes and re-names) and manually run scans on critical assets such as servers and shared network file storage.