Crypto-Crooks Steal Monero Using Compromised FTP Server Swarm

Cyber-thieves are making away with the cryptocurrency Monero after compromising file transfer protocol servers with a malware that exploits its target’s CPU and power resources.

Monero, a relatively new cryptocurrency that can still be mined on PCs profitably, has captured the attention of malware authors and cybercriminals who have devised an exploit to infect FTP servers to steal the cryptocurrency.

Attila Marosi, a senior researcher from cybersecurity firm Sophos uncovered [PDF] the malware, dubbed Mal/Miner-C. It uses an effective technique to spread and get new nodes to calculate hashes for cryptocurrency as a means of a compromise. The malware also attempts to duplicate itself when spotting open or vulnerable FTP folders, Marosi added.


The senior researcher estimated Mal/Miner C had, so far, mined Monero worth 76,599 EUR, or approximately $86,000. Furthermore, the malware had infected enough machines to earn 428 EUR or $480 every day.

Another startling fact from Marosi’s findings had the researcher state:

Here is what the full Monero mining community looks like: 2.5% of the whole mining capacity comes from infected machines.

The Vulnerability – a Seagate NAS Drive

The report put the spotlight on Seagate Central, a network attached storage (NAS) device which contains a fundamental design flaw. The vulnerability leaves the device open to exploit from hackers who could upload malware to any device configured to allow remote file access to the drive.

With remote access enabled, the FTP servers allows anonymous users to gain access to a public folder, leaving the door ajar to upload any file. In the case of Mal/Miner-C, attackers uploaded a file that resembles a screensaver – Photo.scr, within the folder – Photos. With the premise being innocuous, targets who fall for the exploit trigger the malware by simple double-clicking on the file.

While disabling remote access to the drive can prevent the vulnerability, it also disables remote access to the drive. This defeats the entire purpose of a NAS drive and isn’t the solution. Inevitably, attackers took note.

“Most[ly] all of these devices have already been infected by this threat,” Marosi wrote.

Using IoT search engine Censys, Marosi scanned the internet and some 3 million FTP servers to spot instances of the threat. While 2.1 million FTP servers were active during the test, over 207,000 of those active servers allowed anonymous remote access. Over 7,000 of those anonymous user-friendly servers also had write access enabled. Of that number, 5,137 servers were already compromised with Mal/Miner-C.

While the Seagate Central isn’t the only vulnerable NAS drive, it represents a vast majority of those exploited.

Mal/Miner C targeted as its primary pool, Marosi discovered. Further research revealed that the infected servers have the ability to generate 431,000 hashes per second when mining Monero. That’s roughly half of the entirety of which registers 861,000 hashes per second.

No Server too Small

Alarmingly, attackers have already targeted and compromised over 70% of the servers with write access-enabled, the report’s findings stated.

Furthermore, Marosi added:

If you’ve ever assumed that you’re too small and insignificant to be of interest to cybercriminals, and thus that getting security settings right is only really for bigger organizations, this should convince you otherwise.

Very bluntly put, if you’re not part of the solution, you’re very likely to become part of the problem.

 Images from Shutterstock and Monero.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.