{"id":2964,"date":"2024-09-25T20:46:53","date_gmt":"2024-09-25T20:46:53","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2964"},"modified":"2025-07-29T06:53:51","modified_gmt":"2025-07-29T06:53:51","slug":"new-coin-miner-malware-bashes-the-unsuspecting","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/new-coin-miner-malware-bashes-the-unsuspecting\/","title":{"rendered":"New Coin Miner Malware Bashes The Unsuspecting"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"547\" height=\"350\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/bash-1.webp\" alt=\"\" class=\"wp-image-2985\" srcset=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/bash-1.webp 547w, https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/bash-1-280x180.webp 280w\" sizes=\"(max-width: 547px) 100vw, 547px\" \/><\/figure>\n<\/div>\n\n\n<p><strong>Overview<\/strong><br><br>LMNTRIX Labs has reported multiple <a href=\"https:\/\/lmntrix.com\/Lab\/Lab_Search?q=miner\">coin-miner<\/a> infections. In the latest trend, we found a Monero XMR bash script that installs itself as cron job and then downloads a malicious executable. &nbsp;<br><br>Here\u2019s the analysis.<br><br><strong>BashScript Coin Miner Malware<\/strong><br><br>LMNTRIX Labs researchers discovered a bash script which downloads the coin mining malware.<br><br>MD5: eef5cdda9cc6415e94ecdfe1214e732a<br><br>Size: 3.65 KB<br><br>File Type: Bash Script<br><br>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"717\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/1-54-1024x717.webp\" alt=\"\" class=\"wp-image-2976\"\/><\/figure>\n\n\n\n<p><br><br><em>Figure 1 VT detection for the coin mining bash script<\/em><br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"349\" height=\"303\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/2-52.webp\" alt=\"\" class=\"wp-image-2977\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 2 Malicious link hosting two coin miner files<\/em><br><br>The above picture show the relation between the malicious site which hosts two coin miner files which get downloaded by the bash script (transfer.sh). For downloading the files, the script &nbsp;uses the wget command to pull the files in the victim server.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"651\" height=\"38\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/3-51.webp\" alt=\"\" class=\"wp-image-2978\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 3 downloading the coin miner files<\/em><br><br>The following Virustotal links of the &#8216;clay&#8217; is a known Trojan. &#8216;Minerd&#8217; is, as the name suggests, a crypto miner<br><br><a href=\"https:\/\/www.virustotal.com\/#\/file\/260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79\/detection\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virustotal.com\/#\/file\/260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79\/detection<\/a><br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"675\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/4-52-1024x675.webp\" alt=\"\" class=\"wp-image-2979\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 4 CLAY<\/em><br><br><a href=\"https:\/\/www.virustotal.com\/#\/file\/2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2\/detection\" target=\"_blank\" rel=\"noopener\">https:\/\/www.virustotal.com\/#\/file\/2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2\/detection<\/a><br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"679\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/5-49-1024x679.webp\" alt=\"\" class=\"wp-image-2980\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 5 MINERD<\/em><br><br>In order to avoid a dependency error, the bash script follows an order of installing all the required files before downloading the coin miner files.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"554\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/6-46.webp\" alt=\"\" class=\"wp-image-2981\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br><em>Figure 6 to avoid dependency issues &#8211; installing all the required programs<\/em><br><\/p>\n\n\n\n<p><strong>Determining the Core \u2013 It doesn\u2019t need full core for Mining<\/strong><br><br>This bash script checks the availability of the core in the server. And moreover, if the core is greater than four then coin miner will take half of the resources to avoid consuming the full capacity of the server.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"516\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/7-45.webp\" alt=\"\" class=\"wp-image-2982\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br>Figure 7 Code to determine and consumption of core<br><br><strong>Persistency<\/strong><br><br>Cron jobs are created by the script for downloading the original bash script every five hours. The vital step for incident response is that along with malware, you need to make sure that cron job is also removed. Otherwise, even after the removal of all the mining programs from the infected server this tiny cron job will remain persistent.&nbsp;<br><br>Additional Context: Browser Based Coin Miner&nbsp;<br><br>Most coin mining malware seems to focus on Linux based servers. One of the reasons might be that many Linux servers don\u2019t seem to be guarded with a good AV solution. That said, we have seen infections across Windows machines as well<br><br>Apart from this mining malware, there is also coin mining malware now in the market which can execute in any environment. It is referred as Coinhive JS, a JavaScript used in a compromised website to perform coin mining activities. In our earlier research, our team analysed CoinHive JavaScript which actually uses the client\u2019s web browser to perform coin mining activity. In this case, resources consumed by the running process appeared to be in web browser.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"553\" height=\"135\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/8-41.webp\" alt=\"\" class=\"wp-image-2983\"\/><\/figure>\n\n\n\n<p>&nbsp;<br><br>It is worth noting that popular sites like Pirate Bay, Vimshop.win, and showtime have moved away from monetizing with ads in favor of using CoinHive to generate revenue.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"588\" height=\"55\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/9-37.webp\" alt=\"\" class=\"wp-image-2984\"\/><\/figure>\n\n\n\n<p><br><\/p>\n\n\n\n<p><strong>Precautionary Steps To Take<\/strong><br><br>LMNTRIX LABS recommends blocking the mining pool sites in the proxy and firewall. It is always recommended to keep the anti-malware solutions in the places like Linux servers with security patches up to date. Additionally, monitoring the health check will provide valuable information on resource utilization level in the servers, and will further help administrators find the presence of malware and the root cause.<br><br>&nbsp;<\/p>\n\n\n\n<p>On 2018-05-01<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview LMNTRIX Labs has reported multiple coin-miner infections. In the latest trend, we found a Monero XMR bash script that installs itself as cron job and then downloads a malicious executable. &nbsp; Here&rsquo;s the analysis. BashScript Coin Miner Malware LMNTRIX Labs researchers discovered a bash script which downloads the coin mining malware. MD5: eef5cdda9cc6415e94ecdfe1214e732a Size: [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2985,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2964","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2964"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2964\/revisions"}],"predecessor-version":[{"id":4350,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2964\/revisions\/4350"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2985"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}