Cryptocurrency mining rampage throttles Linux machines

Credit to Author: Amar Patil| Date: Tue, 22 May 2018 11:44:28 +0000

Estimated reading time: 4 minutesQuick Heal Security Labs recently came across a Linux-based Monero (XMR) miner. Monero (XMR) is one of the top 15 cryptocurrencies. It can be mined easily on any machine using its CPU computation power. This is one of the reasons why it is preferred to Bitcoin or Ethereum which are more famous than Monero. Earlier, we had also written about a Windows-based cryptocurrency miner.  In this blog post, we will dive into a detailed analysis of the Linux-based Monero miner. Infection chain ‘c3.sh’ is a source file for this Monero mining campaign. Most probably, the script (c3.sh) might be injected in the targeted machine through SSH brute force attack. Fig 1: Linux Monero miner infection chain Let’s dive into the infection chain of Linux Monero miner. Shell scripts (c3.sh) to deliver the Monero miner: Fig 2: c3.sh script As shown in fig 2, using the ‘nproc‘ command, ‘c3.sh’ Shell script checks for the number of CPU cores present in the user’s system. If it is less than or equal to 4, then the script will terminate otherwise it will perform the following tasks: Kill all processes related to Monero mining if already present on the user’s system Download the Monero miner files (tar) from a remote location Unzip mine68b.tar and give permissions to all unzipped contents using the chmod command Execute script ‘x’ After unzipping ‘mine68b.tar‘, the following files are dropped: x: Shell scripts a: Shell script run: Shell script h32: Launcher of Monero miner for 32 bit system h64: Launcher of Monero miner for 64 bit system md: Monero Miner file md32: Monero Miner file mdx: Monero Miner file Let’s discuss the contents of mine68b.tar in detail. Script 1 – ‘x‘: This one line shell script uses the ‘nohup‘ command to allow script ‘a‘ to continuously run in the background even after the user logs out or exit a shell. Fig 3: Use of nohup command to execute script ‘a’ Script 2 – ‘a‘: Creates a cron job to make the script persistent in the system. Fig 4: Creation of cron job As shown in fig 4, script ‘a’ is creating a cron job so that the script will be scheduled to run at regular intervals of time on the targeted computer.  After creating the cron job, it executes the ‘run‘ script. Script 3 – ‘run‘: Launches Monero miner  binaries Fig 5: Execution of Monero miner file As shown in fig 5, this script first retrieves the system configuration in ‘ARCH’ variable. Depending upon the value of ‘ARCH’ variable, different miner files which are present in the current directory will get executed and start Monero mining process. Here ‘h32‘ and ‘h64‘ are launchers for Monero miner files.  Let’s look at few terms in this ‘run‘ script. Cryptonight: It is a proof-of-work algorithm. Currently, it is one of the suitable CPU based mining algorithms. Apart from Monero (XMR), the Cryptonight algorithm can be used to mine other currencies like Bytecoin (BCN), Electroneum (ETN), etc. as well. stratum+tcp: It’s a cryptocurrency mining protocol. Wallet Address : It’s the wallet address wherein the Monero mining rewards will be transferred, thus its the Monero wallet address of the attacker. Thus the miner carries all the binaries with itself and executes the binary after identifying the system configuration. Monero miner post-infection activity On successful execution, the Monero miner generates the below post-infection traffic. Fig 6. Post infection traffic of Monero Miner   In fig 7, we see the mining activity in action. In this case, md32 miner has been executed and it’s consuming 99.3% of CPU power to mine Monero (XMR) coin. Fig 7: Monero mining Activity Safety Measures Disable SSH Protocol if not used. Always have strong username and password for SSH login. Set a lockout policy which hinders guessing of credentials. Configure your Firewall in the following ways: Deny access to Public IPs to important ports Allow access to only IPs which are under your control Use a VPN to access a network, instead of exposing SSH to the Internet. Conclusion It is a myth that Linux is safe from malware and the fact is, attackers are well prepared to use Linux machines for mining. The market for cryptocurrencies is large and we can expect…
http://blogs.quickheal.com/feed/