Vulnerability in Legacy Windows Software Being Targeted Again to Mine Cryptocurrency

Vulnerability in Legacy Windows Tool Being Targeted Again to Mine Cryptocurrency

Amidst the increasing crackdown on fake cryptocurrency ads by companies like Google and Twitter, scammers have turned their attention to cryptocurrency mining, attacking government websites, messaging platforms and cloud servers of tech titans like Tesla. New security findings have revealed that crypto jackers are now exploiting the flaws in old Windows software, especially those which are reaching, or past, the end of their official support for mining cryptocurrency.

Researchers at US-based security firm F5 Networks have discovered that a vulnerability in Microsoft Internet Information Services 6.0 (IIS) is being targeted to seed malware and take over Windows servers to mine the Electroneum cryptocurrency.

Location details of the malware-hosting server (Image Courtesy: F5)

However, this is not the first time that the IIS 6.0 vulnerability is being exploited, as the same flaw was previously abused by the Lazarus group to launch malware attacks and mine Monero. The latest stream of Electroneum-mining malware attack targets a buffer overflow vulnerability codenamed CVE-2017-7269 in the Windows IIS 6.0 servers, and requires a technique called ‘Squiblydoo’ for seeding the malware and executing the malicious script.

The vulnerability was essentially a part of the Microsoft Windows Server 2003, an OS which had already reached the End-of-Life (EOL) status years ago by the time the vulnerability was discovered.


The malware utilizes the fake ‘lsass.eXe’ filetype to mimic the genuine ‘lsass.exe’ process for generating confusion, and then executes a file which is actually the 32-bit variant of a crypto jacking tool called XMRig. According to the report, the original server hosting the malware is located in China and it directs the malware script to mine Electroneum using multiple pools and depositing them in a single wallet.

The latest cryptocurrency mining attack has so far deposited Electroneum worth around $99 in the hacker’s crypto wallet, which might not appear to be a successful heist, but there is a possibility that the hacker might use multiple Electroneum wallets to deposit his earnings. But a worrying revelation uncovered by the new cryptomining attack is that there are a large number of computing systems out there still running outdated software, which host vulnerabilities waiting to be exploited for crypto-mining attacks.

comment Comments 0
Leave a Reply