Blog
Amar Patil

Cryptocurrency mining rampage throttles Linux machines – an analysis by Quick Heal Security Labs

May 22, 2018
  • 1
    Share
0
Estimated reading time: 4 minutes

Quick Heal Security Labs recently came across a Linux-based Monero (XMR) miner. Monero (XMR) is one of the top 15 cryptocurrencies. It can be mined easily on any machine using its CPU computation power. This is one of the reasons why it is preferred to Bitcoin or Ethereum which are more famous than Monero. Earlier, we had also written about a Windows-based cryptocurrency miner.  In this blog post, we will dive into a detailed analysis of the Linux-based Monero miner.

Infection chain

‘c3.sh’ is a source file for this Monero mining campaign. Most probably, the script (c3.sh) might be injected in the targeted machine through SSH brute force attack.

Fig 1: Linux Monero miner infection chain

Let’s dive into the infection chain of Linux Monero miner.

  • Shell scripts (c3.sh) to deliver the Monero miner:
Fig 2: c3.sh script

Fig 2: c3.sh script

As shown in fig 2, using the ‘nproc‘ command, ‘c3.sh’ Shell script checks for the number of CPU cores present in the user’s system. If it is less than or equal to 4, then the script will terminate otherwise it will perform the following tasks:

  • Kill all processes related to Monero mining if already present on the user’s system
  • Download the Monero miner files (tar) from a remote location
  • Unzip mine68b.tar and give permissions to all unzipped contents using the chmod command
  • Execute script ‘x’

After unzipping ‘mine68b.tar‘, the following files are dropped:

  • x: Shell scripts
  • a: Shell script
  • run: Shell script
  • h32: Launcher of Monero miner for 32 bit system
  • h64: Launcher of Monero miner for 64 bit system
  • md: Monero Miner file
  • md32: Monero Miner file
  • mdx: Monero Miner file

Let’s discuss the contents of mine68b.tar in detail.

  • Script 1 – ‘x‘:

This one line shell script uses the ‘nohup‘ command to allow script ‘a‘ to continuously run in the background even after the user logs out or exit a shell.

Fig 3: Use of nohup command to execute script 'a'

Fig 3: Use of nohup command to execute script ‘a’

  • Script 2 – ‘a‘:

Creates a cron job to make the script persistent in the system.

Fig 4: Creation of cron job

As shown in fig 4, script ‘a’ is creating a cron job so that the script will be scheduled to run at regular intervals of time on the targeted computer.  After creating the cron job, it executes the ‘run‘ script.

  • Script 3 – ‘run‘:

Launches Monero miner  binaries

Fig 5: Execution of Monero miner file

As shown in fig 5, this script first retrieves the system configuration in ‘ARCH’ variable. Depending upon the value of ‘ARCH’ variable, different miner files which are present in the current directory will get executed and start Monero mining process. Here ‘h32‘ and ‘h64‘ are launchers for Monero miner files.  Let’s look at few terms in this ‘run‘ script.

Cryptonight: It is a proof-of-work algorithm. Currently, it is one of the suitable CPU based mining algorithms. Apart from Monero (XMR), the Cryptonight algorithm can be used to mine other currencies like Bytecoin (BCN), Electroneum (ETN), etc. as well.

stratum+tcp: It’s a cryptocurrency mining protocol.

Wallet Address : It’s the wallet address wherein the Monero mining rewards will be transferred, thus its the Monero wallet address of the attacker.

Thus the miner carries all the binaries with itself and executes the binary after identifying the system configuration.

Monero miner post-infection activity

On successful execution, the Monero miner generates the below post-infection traffic.

Fig 6. Post infection traffic of Monero Miner

In fig 7, we see the mining activity in action. In this case, md32 miner has been executed and it’s consuming 99.3% of CPU power to mine Monero (XMR) coin.

Fig 7: Monero mining Activity

Safety Measures

  • Disable SSH Protocol if not used.
  • Always have strong username and password for SSH login.
  • Set a lockout policy which hinders guessing of credentials.
  • Use a VPN to access a network, instead of exposing SSH to the Internet.
  • Configure your Firewall in the following ways:
    1. Deny access to Public IPs to important ports
    2. Allow access to only IPs which are under your control

Conclusion

It is a myth that Linux is safe from malware and the fact is, attackers are well prepared to use Linux machines for mining. The market for cryptocurrencies is large and we can expect a rise in the attacks on Linux machines to mine cryptocurrencies.

Subject Matter Expert

Yogesh Bane, Quick Heal Security Labs

  • 1
    Share

Have something to add to this story? Share it in the comments.

Amar Patil
About Amar Patil
Amar is a security researcher at Quick Heal Security Labs and has 6 years of experience in the cybersecurity domain. He is interested in reverse engineering and...
Articles by Amar Patil »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image