Released Thursday, the report by security researcher Fernando Domínguez provides a step-by-step walkthrough of how one rather low-profile cryptojacker infects and spreads across vulnerable Exim, Confluence and WebLogic servers, installing malicious code that mines monero through a proxy. Exim servers represent quite half all email servers, consistent with ZDNet.
The worm first injects target servers with a BASH script that checks for, and kills, competing mining processes before attempting to infiltrate other known machines within the network. Crypto-miners often exterminate competing miners once they infect a system, and for one very simple reason: The more CPU a special process hogs, the less is left over for others, consistent with the report.
Breached servers then download the script’s payload: an “omelette” (as the downloaded executable file variable is termed) supported the open-source monero miner called XMRig.
Available on GitHub, XMRig may be a malware hacker favorite and a standard building block in cryptojackers’ arsenal. it’s been retrofitted into MacBook miners, spread across 500,000 computers and, in 2017, became so popular that malicious mining reports spiked over 400 percent.
This modified miner does its business via proxy, consistent with AT&T Alien Labs. that creates tracing the funds, or maybe discerning the wallet address, nearly impossible without proxy server access.
Frying this omelette is tough . When it downloads, another file called “sesame” – just like the first BASH script – downloads also . this is often the key to the worm’s persistency: it hitches onto a cron job with a five-minute interval, enabling it to face up to kill attempts and system shutdowns. It can even automatically update with new versions.
AT&T Alien Labs began following the worm in June 2019. It had previously been studied by cloud security analysis firm Lacework in July.
Researchers don’t quite skills widespread this unnamed monero miner is. Alien Labs’ report admits that “it is tough to estimate what proportion income this campaign has reported to the threat actor,” but notes the campaign is “not very big.”
Nonetheless, it is a reminder to all or any server operators: Always keep your software patched and up so far .