HolesWarm (Crypto-Miner) Malware Targeted Unpatched Windows and Linux Servers


Researchers at a security firm named Tencent have recently revealed details about the botnet crypto-miner. For the record, the crypto-miner malware has compromised over 1,000 clouds hosts. It has caused such colossal damage to cloud hosts only since June 2021. Dubbed as HolesWarm, the malware forced its way into cloud hosts by leveraging over 20 known vulnerabilities in Windows, Linux servers. Essentially, HolesWarm malware targeted unpatched Windows and Linux servers to utilize their hardware resources for cryptocurrency mining.


LIFARS offers security advisory services to help validate your compliance and controls in the pursuit of maintaining your compliance. We create a robust security foundation after evaluating your current approach.


King of Vulnerability Exploitation

Tencent researchers are the ones who have first identified HolesWarm. They also labeled the crypto-miner malware as the king of vulnerability exploitation because of the glorious triumph of infiltrating systems. The surprising thing is that the uncomplicated crypto-miner malware or botnet paved its way to cloud hosts by manipulating several known vulnerabilities between attacks.

Constant Evolution

In a short period, the botnet has shifted between more than 20 attack methods. However, the quantity of lost clouds is as yet on the rise. For this reason, it is becoming more challenging to defend against it amid its constant evolution. Researchers also claim that HolesWarm surreptitiously gives away the password and control of the victim’s server to attackers.

Additionally, the crypto-miner malware does not stop here. Tencent observed it exploiting risk-stricken vulnerabilities in several office server components. It includes Apache Tomcat, Spring Boot, Weblogic, Jenkins, Zhiyuan, Weblogic, Structs2, UFIDA, XXL-JOB, and Shiro. Once HolesWarm gains a foothold on an infected system, it dumps local passwords plus expands to the local network. Afterward, it installs an XMRig-based cryptocurrency mining tool.

Moreover, HolesWarm malware appears more blatant. Whereas other botnet operators strive to conceal their presence on infected systems, it does not seem to implement the given safety mechanism. It often reaches the upper limit of server CPUs, susceptible to its discovery.

Botnet Mines for Monero Cryptocurrency

Collecting cryptocurrency is vital for any criminal group to get bigger and maintain capabilities. They can also gain added exploits traded in the Dark Web or utilize some cybercrime-as-a-service.

The HolesWarm paves its way to infected systems in the desire of mining for Monero. Essentially, crypto-miners audit unending strings of blockchain to make money. However, it only turns out profitable when a plethora of machines count a plethora of strings of blockchain.

First of all, crypto-miner malware invades the system of a victim. Subsequently, it puts it to work as part of a more widespread criminal endeavor to mine Monero at scale. Notwithstanding, it all happens at the expense of the resources of someone else.

Appeal to the Government and Organizations

Meanwhile, Tencent also urged government and organizations’ operational and maintenance workers to mitigate known vulnerabilities immediately. To prevent falling victim to the subsequent HolesWarm attack, they should implement patches as soon as they become available. They should effectively patch high-risk vulnerabilities in interconnected organizational parts to keep Windows and Linux servers from becoming victims.

Final Words

Fundamentally, the HolesWarm is merely another botnet in the long raw of crypto-mining botnets that regularly emerge online. The apparent simplicity with which the crypto-miner malware got identified alongside its rapid and constant evolution shows a criminal group just getting their initiative going. In terms of its composition, it is not technically complex. By all accounts, the operators behind it are simply exploiting many servers running outdated software. Apart from that, they are continually updating their tactics, techniques, and procedures.




HolesWarm malware exploits vulnerabilities in Windows and Linux servers

HolesWarm Malware goes after Linux and Window servers

A new botnet exploits unpatched Windows and Linux servers

HolesWarm malware targets unpatched Linux, Windows servers

The latest HolesWarm botnet targets Linux and Windows servers