|Type of Malware||Cryptominer|
|Date of Initial Activity||2018|
|Motivation||To plant the cryptocurrency miner XMrig on vulnerable systems to hijack users’ CPU processing power and covertly mine Monero coins|
|Attack Vectors||Exploited vulnerabilities in HTTP web servers|
|Targeted System||Windows and Linux servers|
Rubyminer was first seen in the wild in January 2018 and targets both Windows and Linux servers. Rubyminer seeks vulnerable web servers (such as PHP, Microsoft IIS, and Ruby on Rails) to use for cryptomining, using the open source Monero miner XMRig.
Personal computers and web servers. Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden.
Tools/ Techniques Used
Rubyminer seeks vulnerable web servers (such as PHP, Microsoft IIS, and Ruby on Rails) to use for cryptomining, using the open source Monero miner XMRig.
RubyMiner group uses a web server fingerprinting tool named p0f to scan and identify Linux and Windows servers running outdated software. Once they identify unpatched servers, attackers deploy well-known exploits to gain a foothold on vulnerable servers and infect them with RubyMiner. The RubyMiner attacks are peculiar because attackers use very old exploits, which most security software would be able to detect, and which would have alerted server owners.
Researchers think that attackers might have been looking for abandoned machines on purpose, such as forgotten PCs and servers with old OS versions, that sysadmins forgot they left online.