According to a report that was originally released by security analysts from Palo Alto Networks, at least five percent of all Monero tokens that are currently in circulation on the market were mined using malware. This means that criminal organizations have used security breaches in servers and end-user machines to mine over 790,000 Monero coins, also known as XMR. Slightly around 20 million hashes per second, which is around two percent of the entire hashing power of the Monero network, came from infected devices during the past year.
Considering current exchange rates, network difficulty and other factors this impressive amount of processing power will still translate into somewhere around more than $30,000 every day for these groups, which is a substantial amount of money by comparison. The top three hash-rates mine between $1,600 and $2,700 worth of Monero every day.
Linux security experts were surprised to learn back in January that RubyMiner malware used to mine Monero in this method had actually targeted servers that run GNU/Linux as well as those that run Microsoft Windows server packages as part of their system software.
The exploit on Linux machines contained a set of shell commands and allow attackers to clear cron jobs before adding their own. This new cron job downloads a shell script that gets hosted in the robots.txt text files that are a standard part of most web domains.
Eventually, this script can download and install an unsupported version of the otherwise legitimate XMRig Monero miner application. PyCryptoMiner targeted Linux servers as well. Another group of Monero miner malware went after Oracle WebLogic servers.
Fortunately, those exploits weren’t able to do much damage because the attackers were relying on older exploits that Linux security experts figured out how to plug a long time ago. This lead some in the open-source community to assume that attackers were going after machines with operating system installs that were antiquated in server terms.
Nevertheless, the latest more impressive numbers spelled out in this report would insinuate that newer attacks may be taking advantage of recent exploits in both Windows and GNU/Linux.