SambaCry infecting Linux machines to create a Monero mining botnet

Linux machines running Samba are being hit by an attack that uses a similar vulnerability to the one recently exploited by the WannaCry ransomware for Windows.

The vulnerability CVE-2017-7494 (a.k.a. “SambaCry”) enables remote code execution, by allowing malicious clients to upload a shared library to the server, and then execute the code in this library.

Unlike the recent proliferation of ransomware, Linux clients are being co-opted into joining a botnet to mine the Monero cryptocurrency. The popular cpuminer software software is downloaded onto the machine, which then connects to a mining pool (mr.crypto-pool.fr:3333) and continues running in the background to mine cryptocurrency.

The advantage of using Monero instead of Bitcoin for the malware authors is that Monero goes to great lengths to make transactions difficult to trace. This could assist the authors in evading detection when they later decide to withdraw the funds earned from the botnet.