Hackers modify malware for covert cryptocurrency mining

AhnLab reports that hackers are attacking older versions of Rejetto’s HTTP File Server (HFS) to inject malware and cryptominers.

The CVE-2024−23 692 vulnerability allows hackers to send special requests that execute commands on the system without authorization. Real cases of crypto users being affected have already been reported.

Cybercriminals use the vulnerability to collect system information, install backdoors, and other types of malware. They also add new users to the administrators group to prevent other hackers from exploiting the vulnerability. Then the fraudsters install the XMRig tool for mining Monero cryptocurrency. Criminals also use other malware such as XenoRAT, Gh0stRAT, PlugX, and GoThief.

Cybersecurity experts recommend that users update the software to the latest version — 0.52.10, which is based on web technologies, supports HTTPS, dynamic DNS, and authorization for the administrative panel.

AhnLab provided data to detect the compromise, including the malware hash, IP addresses of the control servers, and malware download URLs.