Butter Cryptomining Campaign
First observed in 2015, Butter is a cryptocurrency mining campaign that has links to Singapore and Hong Kong. It has previously utilised the XOR.DDOS remote access trojan (RAT). However, it has recently been observed targeting Linux machines using a new RAT, known as Samba.
The threat actors operating the Butter campaign are using brute force SSH attacks on Linux devices that are exposed to the internet. If successful, the attackers will add a user, Butter, and create a backdoor. They will then download the payload, either Samba or XOR.DDOS, change its file permissions and execute it.
Once installed, Samba will delete log files to evade detection and add itself to configuration and start up systems to maintain persistence. It will then implement an update mechanism and execute a miner via a command and control server. The miner utilises the CPU of infected devices to mine for the Monero cryptocurrency. Additionally, Samba can execute shell commands, download files and also possesses the same features as XOR.DDOS. XOR.DDOS can perform distributed denial-of-service attacks, implement measures to maintain persistence, kill any competing malware and install a rootkit.
Indicators of Compromise
IP Addresses
- 103.51.109[.]217
- 103.233.83[.]247
- 203.12.202[.]64
- 123.1.172[.]120
- 103.233.83[.]23
- 103.233.82[.]32
- 203.12.202[.]137
- 211.155.114[.]75
- 46.105.103[.]169
- 37.187.154[.]79
Domains
- x.bigoupai[.]live
- fr.minexmr[.]com
- p2.minexmr[.]com
SHA256 File Hashes
- ae7e865b4da55f0de960a934794e7f3654a6f5475d2a85a9a7f39e4fe9cf53f5
- 005b29393ffe00e4d0d5736ede871025f6c0c3cb53ec14171396758248e9e3df
- c75e40cea99ab863750665187bf1c3a8393c7fef3e2bc67c5e8d2d1085c0b0b2
- 0e0bf4a089e7199dced4ec52e62b029b8df69f843cd2bd8b85da46762d328bbd
- c9153e2b15def39420e88a058a15f3bc0fde6e6a3bd53ced4a6a6f644b51a935
- c40a6fac6a7b43fd74aca488d4ec8f9a1a7cc1ac8ef211c131ff56a4e8dd665b
- 51944f895207232966b6f594feeafdb2b1561f68f832af5c00d7d082bf10007e
- 104c8d9c8ea5dcf68986a80e17fdac95e7d1cfe1f2ce7e5d021ed4d15d2811a7
- a2c8c26972a9f739127429705db494b369192de6fc44cd4175b00708a6cf5d05
- f50eae2f3ff71a6556bbc8bcd5b3113511f77fb8ff82ea4eca63af2ce3babb30
- 3555ee8275836151011f4eb0f1c54053c17c883f22aed0ee3bdad0b0213d4dfc
Filepaths
- /tmp/2308
- /tmp/2072
- /tmp/seconfig/samba
- /etc/seconfig/samba
- /root/linux-gn
- /tmp/x86_64
- /tmp/seconfig/samba
- /tmp/seconfig/xorgg
- /etc/seconfig/xorgg
- /tmp/x86_64
- /tmp/80
- /tmp/x86_64
- /etc/seconfig/samba
- /root/linux-gn
- /tmp/x86_64
- /tmp/seconfig/samba
- /etc/seconfig/samba
- /root/linux-gn
- /tmp/x86_64
- /tmp/seconfig/samba
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.