{"id":2437,"date":"2024-09-25T18:07:18","date_gmt":"2024-09-25T18:07:18","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2437"},"modified":"2025-07-29T03:42:40","modified_gmt":"2025-07-29T03:42:40","slug":"attackers-enslave-cpu-resources-set-them-to-cryptocurrency-mining","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/attackers-enslave-cpu-resources-set-them-to-cryptocurrency-mining\/","title":{"rendered":"Attackers enslave CPU resources, set them to cryptocurrency mining"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"491\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Rudnik_Velenje_1958.webp\" alt=\"Rudnik_Velenje\" class=\"wp-image-2439\" style=\"width:577px;height:auto\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Rudnik_Velenje_1958.webp 491w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Rudnik_Velenje_1958-280x180.webp 280w\" sizes=\"(max-width: 491px) 100vw, 491px\" \/><\/figure>\n<\/div>\n\n\n<p>Most cyberattackers target the personal data or pocketbooks of their victims, but others are after something else entirely \u2013 processing power.&nbsp;<br><br>This was the case when we witnessed a spike in a customer\u2019s CPU usage. The customer, who\u2019s environment contained predominately Linux machines, reported nothing out of the ordinary. Our analysis quickly uncovered the culprit \u2013 a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Monero_(cryptocurrency)\" target=\"_blank\" rel=\"noopener\">Monero <\/a>cryptocurrency miner had been surreptitiously installed on the network and was draining the organisation\u2019s resources.&nbsp;<br><br>Currency mining, in and of itself, isn\u2019t illegal. In fact, it\u2019s a central part of cryptocurrencies. At a fundamental level, by using special software miners solve math problems and, in return, are issued a certain number of coins. This process helps keep the currency secure by approving transactions and verifying them on the public ledger, or blockchain.&nbsp;<br><br>The process is designed to be resource-intensive, and the equations purposefully difficult, as this ensures new coins are released at a steady rate. This is why criminals sling coin mining malware against organizations with high computing resources &nbsp;\u2013 more CPU means more coins.&nbsp;<br><br><strong>Root cause of entry<\/strong><br><br>The compromise began after a user clicked on a malicious URL, either a display ad or through URL redirection, executing a shell script disguised as a jpeg extension (logo.jpg). After the malicious link was clicked, the content-type field in the response contained the exploit code that added an entry to crontab and downloaded the malicious logo.jpg file.<br><br>That file was stored in the cron entry and exploited the \u2018\u2019 (CVE-2017-5638) vulnerability which allows an attacker to carry out Remote Code Execution (RCE) attacks.&nbsp;<br><br>After this, a configuration file was downloaded from a remote server and stored in the victim machine, then the CPU was put to use mining Monero. The image below illustrates the infection steps:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"832\" height=\"368\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/coinminer.webp\" alt=\"\" class=\"wp-image-2438\"\/><\/figure>\n\n\n\n<p><em>Figure 1 Infection steps<\/em><br><br><strong>Exploitation phase<\/strong><br><br>As mentioned earlier, the Apache Struts vulnerability was pivotal in this attack. After gaining access, a blank file named \u201clclqhxwtts.conf\u201d was saved under the directory \/var\/tmp with read\/write permissions enabled. Then, a HTTP request downloaded the necessary configuration from a remote server.&nbsp;<br><br>Any existing sshd files present in \/var\/tmp were deleted and replaced with the cryptocurrency mining support files, kworker and kworker_na, and saved in the directory \/var\/tmp\/sshd. This file\u2019s permissions were set to \u2018executable\u2019 then a cron entry for this file was created every 29 minutes.&nbsp;<br><br>Let\u2019s take a closer look at these configuration files:&nbsp;<br><br>&#8220;url&#8221; : &#8220;stratum+tcp:\/\/91.121.87(.)10:80&#8221;,<br><br>&#8220;user&#8221; : &#8220;46XG1vfKxfE1yQnPkrwdQoUDdewkqxCz8ZUnjtu4HH6j27uaWdXaC8D43Vax6XVZmGb3MTHaULEBoiBo7DbP3PPJLyffUcF&#8221;,<br><br>&nbsp; &nbsp; &#8220;pass&#8221; : &#8220;x&#8221;,<br><br>Another configuration file included similar contents:<br><br>&#8220;url&#8221; : &#8220;stratum+tcp:\/\/94.23(.)206(.)130:80&#8221;,<br><br>&#8220;user&#8221; : &#8220;46XG1vfKxfE1yQnPkrwdQoUDdewkqxCz8ZUnjtu4HH6j27uaWdXaC8D43Vax6XVZmGb3MTHaULEBoiBo7DbP3PPJLyffUcF&#8221;,<br><br>&nbsp; &nbsp; &#8220;pass&#8221; : &#8220;x&#8221;,<br><br>Here we see the \u2018User\u2019 detail set as the cryptocurrency wallet and the Password set as \u2018x\u2019 \u2013 a.k.a no password.<br><br>These files used the CryptoNight algorithm which is one of many algorithms used to mine cryptocurrencies. CryptoNight is designed to use CPU rather than GPU.&nbsp;<br><br><strong>Coin miner<\/strong><br><br>In the attack\u2019s final step, the coin miner was dropped from 91.230.47(.)40 and it almost immediately began using the victim\u2019s CPU resources. As identified in the conf files, the coin wallet was: 46XG1vfKxfE1yQnPkrwdQoUDdewkqxCz8ZUnjtu4HH6j27uaWdXaC8D43Vax6XVZmGb3MTHaULEBoiBo7DbP3PPJLyffUcF.<br><br><strong>Conclusion<\/strong><br><br>Regular patching will keep the system safe from most coin mining infections. In this case, Apache Struts needs to be updated to the latest version, or a filter should be deployed for servlet to validate content-type \u2013 the initial means of infection in this scenario.&nbsp;<br><br>The identified coin mining IP addresses should also be blocked in the firewall and proxy.<br><br>&nbsp;<\/p>\n\n","protected":false},"excerpt":{"rendered":"<p>Most cyberattackers target the personal data or pocketbooks of their victims, but others are after something else entirely &ndash; processing power.&nbsp; This was the case when we witnessed a spike in a customer&rsquo;s CPU usage. The customer, who&rsquo;s environment contained predominately Linux machines, reported nothing out of the ordinary. Our analysis quickly uncovered the culprit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2439,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2437"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2437\/revisions"}],"predecessor-version":[{"id":4256,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2437\/revisions\/4256"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2439"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}