The vulnerability CVE-2017-7494 (a.k.a. “SambaCry”) enables remote code execution, by allowing malicious clients to upload a shared library to the server, and then execute the code in this library.
Unlike the recent proliferation of ransomware, Linux clients are being co-opted into joining a botnet to mine the Monero cryptocurrency. The popular cpuminer software software is downloaded onto the machine, which then connects to a mining pool (mr.crypto-pool.fr:3333) and continues running in the background to mine cryptocurrency.
The advantage of using Monero instead of Bitcoin for the malware authors is that Monero goes to great lengths to make transactions difficult to trace. This could assist the authors in evading detection when they later decide to withdraw the funds earned from the botnet.