Microsoft IIS 6.0 Targeted for Electroneum Cryptomining Campaign

Researchers uncovered a campaign that has been targeting several systems still running on Microsoft Internet Information Services (IIS) 6.0 servers to mine Electroneum cryptocurrency (ETN). The cryptomining campaign exploits CVE-2017-7269, a year-old disclosed vulnerability known to have been previously used to mine Monero. North Korean hacker group Lazarus also exploited the same vulnerability to launch attacks against organizations.

Attackers are still exploiting vulnerabilities in the IIS 6.0 despite being declared end-of-life three years ago. The security researchers found that the exploit used in this campaign is similar to an exploit for a buffer overflow vulnerability disclosed in March 2017; the difference lies in the shellcode used in this campaign's commands. The alphanumeric or Unicode characters use ASCII shellcode to contain a Return-Oriented Programming (ROP) chain, which allows the attacker to bypass input restrictions and open a reverse shell to a malicious remote server. A reverse shell is a type of interactive shell wherein the victimized machine communicates with the cybercriminal’s remote machine and waits for shell commands to execute.

[Read: Security 101: How cryptocurrency-mining malware affects systems]

The targeted system receives two commands once connected to the attacker' machine; the first command disables the compromised machine’s firewall, and an exploit technique called Squiblydoo, which whitelists the attacker’s commands as a legitimate Microsoft binary. The attacker can execute a remote Extensible Markup Language (XML) containing scriptlets with the codes of choice. It rolls back to mimic legitimate and critical Microsoft Visual Basic scripts and processes before inserting the cryptominer in the system startup to make it look like a legitimate OS process.

The attackers only earned $99 from the campaign at the time the researchers published their report, initially implying that the entire operation was relatively unsuccessful. Possible explanations for the low number: Either there may not be that many vulnerable IIS 6.0 servers left to exploit, or that the cybercriminals may be changing wallet addresses from time to time.

It is always recommended to upgrade systems and move from legacy servers, though organizations might prefer to hold out to prepare accordingly. It's not easy to secure and manage legacy systems, especially for enterprises. Further, the training and migration of data required involve compliance, compatibility, and alignment concerns that require considerable company resources. Threat actors are always on the lookout for these systems’ changes because these upgrades could take months to implement, possibly leaving entire networks open for attack. Here are a few recommendations for managing your legacy systems:

  • Operating systems release emergency patches even for end-of-life products. Make sure to patch whenever these are made available
  • Avail of legitimate virtual patches provided by your security vendors. Security products continue to find vulnerabilities and upload virtual patches even for EOL systems


Trend Micro provides protections and virtual patches even for EOL systems for both enterprises and home users. Trend Micro Deep Security, Deep Discovery Inspector,Tipping Point,Trend Micro Home Network Security are protected from these attacks and vulnerabilities from the gateway to the endpoint.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.