These cybercriminals are exploiting a significant vulnerability found in HFS versions up to and including 2.3m. This flaw allows them to execute arbitrary commands remotely without needing authentication, giving attackers easy control over the affected systems.
AhnLab has identified several instances where attackers deployed various malicious payloads beyond just compromising systems. These include tools like XMRig, software used for mining Monero, and remote access trojans (RATs) such as XenoRAT and Gh0stRAT. However, the full extent of these attacks and the amount of Monero mined remain unclear.
In light of the exploit, Rejetto has issued warnings, acknowledging the bug and advising users to avoid versions 2.3m through 2.4, labeling them as “dangerous and should not be used anymore.”
Cybercriminals prefer using XMRig on infected devices due to Monero's strong privacy features, which make transactions hard to trace. XMRig’s efficiency and versatility allow it to operate on various hardware, and its open-source nature makes it easy to modify. Additionally, it can run quietly in the background of a computer’s processes, reducing the risk of detection.
