Butter Cryptomining Campaign

First observed in 2015, Butter is a cryptocurrency mining campaign that has links to Singapore and Hong Kong. It has previously utilised the XOR.DDOS remote access trojan (RAT). However, it has recently been observed targeting Linux machines using a new RAT, known as Samba.

The threat actors operating the Butter campaign are using brute force SSH attacks on Linux devices that are exposed to the internet. If successful, the attackers will add a user, Butter, and create a backdoor. They will then download the payload, either Samba or XOR.DDOS, change its file permissions and execute it.

Once installed, Samba will delete log files to evade detection and add itself to configuration and start up systems to maintain persistence. It will then implement an update mechanism and execute a miner via a command and control server. The miner utilises the CPU of infected devices to mine for the Monero cryptocurrency. Additionally, Samba can execute shell commands, download files and also possesses the same features as XOR.DDOS. XOR.DDOS can perform distributed denial-of-service attacks, implement measures to maintain persistence, kill any competing malware and install a rootkit.

Indicators of Compromise

IP Addresses

  • 103.51.109[.]217
  • 103.233.83[.]247
  • 203.12.202[.]64
  • 123.1.172[.]120
  • 103.233.83[.]23
  • 103.233.82[.]32
  • 203.12.202[.]137
  • 211.155.114[.]75
  • 46.105.103[.]169
  • 37.187.154[.]79


  • x.bigoupai[.]live
  • fr.minexmr[.]com
  • p2.minexmr[.]com

SHA256 File Hashes

  • ae7e865b4da55f0de960a934794e7f3654a6f5475d2a85a9a7f39e4fe9cf53f5
  • 005b29393ffe00e4d0d5736ede871025f6c0c3cb53ec14171396758248e9e3df
  • c75e40cea99ab863750665187bf1c3a8393c7fef3e2bc67c5e8d2d1085c0b0b2
  • 0e0bf4a089e7199dced4ec52e62b029b8df69f843cd2bd8b85da46762d328bbd
  • c9153e2b15def39420e88a058a15f3bc0fde6e6a3bd53ced4a6a6f644b51a935
  • c40a6fac6a7b43fd74aca488d4ec8f9a1a7cc1ac8ef211c131ff56a4e8dd665b
  • 51944f895207232966b6f594feeafdb2b1561f68f832af5c00d7d082bf10007e
  • 104c8d9c8ea5dcf68986a80e17fdac95e7d1cfe1f2ce7e5d021ed4d15d2811a7
  • a2c8c26972a9f739127429705db494b369192de6fc44cd4175b00708a6cf5d05
  • f50eae2f3ff71a6556bbc8bcd5b3113511f77fb8ff82ea4eca63af2ce3babb30
  • 3555ee8275836151011f4eb0f1c54053c17c883f22aed0ee3bdad0b0213d4dfc


  • /tmp/2308
  • /tmp/2072
  • /tmp/seconfig/samba
  • /etc/seconfig/samba
  • /root/linux-gn
  • /tmp/x86_64
  • /tmp/seconfig/samba
  • /tmp/seconfig/xorgg
  • /etc/seconfig/xorgg
  • /tmp/x86_64
  • /tmp/80
  • /tmp/x86_64
  • /etc/seconfig/samba
  • /root/linux-gn
  • /tmp/x86_64
  • /tmp/seconfig/samba
  • /etc/seconfig/samba
  • /root/linux-gn
  • /tmp/x86_64
  • /tmp/seconfig/samba

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: