Delaware, USA – September 2, 2019 – New cryptocurrency mining malware has switched from IoT devices to Intel systems running Linux. The security researcher at Akamai discovered that one of the botnets attacking MIPS and ARM-powered devices began to attack X86/I686 systems installing XMRig v2.14.1 cryptocurrency miner. The earliest malware samples were developed at the end of July, and its primary targets are enterprise servers. The botnet searches for vulnerable Intel systems with SSH enabled on port 22, performs dictionary attack, establishes a connection and delivers malware as a gzip archive. After accessing the system, the malware first unpacks the contents of the archive and runs shell scripts that check for the presence of other cryptocurrency mining malware and, if detected, remove them from the server. the script then checks if the botnet has already infected this system before, finishes installation on the system, and also ensures persistence by adding entries to crontab. The malware runs XMRig in x86 32bit or 64bit format, to make the processes look legitimate, adversaries name binaries after common Linux utilities. To communicate with the command-and-control server, the malware installs a shell script that communicates via IRC and has DDoS and port scanning functionality.
The botnet has already infected multiple systems in Europe, Asia, South and North Americas. Despite the decline in interest in coinminers, they still pose a threat to corporate resources. Adversaries automate the process of finding and infecting servers with weak passwords or not installed updates. Earlier this year, researchers discovered and neutralized a botnet that infected more than 50 thousand Windows MS-SQL and PHPMyAdmin servers.
Content to detect such attacks:
Web Application Security Framework rule pack – https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight
Brute Force Detection rule pack – https://my.socprime.com/en/integrations/brute-force-detection-arcsight