Attackers target rTorrent clients with a particular configuration to secretly allow users to mine the cryptocurrency Monero. Abuse of the clients does not require any interaction from the users.
Security firm F5 discovered that attackers actively search the Internet for vulnerable rTorrent clients to exploit them to mine Monero. The criminals managed to mine Monero about 35 euros a day in this way, for a total of about 3200 euros.
rTorrent’s client is based on the libTorrent libraries for Unix. Optionally, the program supports the remote procedure call protocol XML-RPC, for management via other tools. So communicating with rTorrent does not require authentication, as the feature is not intended to be publicly accessible.
The attackers discovered that it uses rTorrent clients that are not configured properly and can execute shell commands remotely. As soon as they are found, the attackers manage to smuggle in a coinminer via Tor2Web and also stop existing miners.
Recently, vulnerabilities in μTorrent were found that also enabled code execution. But to exploit that, users have to be persuaded, for example, to go to a website to execute commands via a DNS rebinding attack.