F5 threat researchers detected attackers actively exploiting the rTorrent client through a previously undisclosed misconfiguration vulnerability and deploying a Monero (XMR) crypto-miner operation.

• The rTorrent client misconfiguration vulnerabilities include:
  • No authentication required for XML-RPC communication
  • Sensitive XML-RPC method is allowed (direct OS command execution)
• Attackers are actively exploiting this vulnerability in the wild by scanning the Internet for exposed rTorrent clients
• Attackers are using the exploited systems to mine Monero crypto-currency
• The malware is hosted on the hidden TOR network; the Tor2Web “gateway” is used to access it
• Currently only 3 of 59 anti-virus agents detect the malware file
• The campaign employs evasion techniques
• The campaign is possibly connected to the Zealot Monero mining campaign from late 2017

Recently, the security of torrent clients received public attention¹ after Google’s Project Zero researcher Tavis Ormandy² reported several vulnerabilities in one of the most popular BitTorrent clients, uTorrent. The vulnerabilities were related to the handling of JSON-RPC calls wherein a victim visiting an attacker’s website could be served a malicious JavaScript that would implement a DNS rebinding attack in order to get the authentication secret from the webroot folder. Once successful, the attacker would further compromise the torrent client settings and finally the machine itself using a locally installed torrent client over JSON-RPC.

rTorrent³ is a Unix-based torrent client that is implemented in C++. rTorrent optionally supports XML-RPC to allow control by other external programs. XML-RPC is a remote procedure call (RPC)⁴ protocol⁵ that uses XML⁶ to encode its calls and HTTP⁷ as a transport mechanism. ruTorrent is an example of a web-based front-end that controls the rTorrent client using XML-RPC communication.