Quick Heal Security Labs recently came across a Linux-based Monero (XMR) miner. Monero (XMR) is one of the top 15 cryptocurrencies. It can be mined easily on any machine using its CPU computation power. This is one of the reasons why it is preferred to Bitcoin or Ethereum which are more famous than Monero. Earlier, we had also written about a Windows-based cryptocurrency miner. In this blog post, we will dive into a detailed analysis of the Linux-based Monero miner.
‘c3.sh’ is a source file for this Monero mining campaign. Most probably, the script (c3.sh) might be injected in the targeted machine through SSH brute force attack.
Let’s dive into the infection chain of Linux Monero miner.
- Shell scripts (c3.sh) to deliver the Monero miner:
As shown in fig 2, using the ‘nproc‘ command, ‘c3.sh’ Shell script checks for the number of CPU cores present in the user’s system. If it is less than or equal to 4, then the script will terminate otherwise it will perform the following tasks:
- Kill all processes related to Monero mining if already present on the user’s system
- Download the Monero miner files (tar) from a remote location
- Unzip mine68b.tar and give permissions to all unzipped contents using the chmod command
- Execute script ‘x’
After unzipping ‘mine68b.tar‘, the following files are dropped:
- x: Shell scripts
- a: Shell script
- run: Shell script
- h32: Launcher of Monero miner for 32 bit system
- h64: Launcher of Monero miner for 64 bit system
- md: Monero Miner file
- md32: Monero Miner file
- mdx: Monero Miner file
Let’s discuss the contents of mine68b.tar in detail.
- Script 1 – ‘x‘:
This one line shell script uses the ‘nohup‘ command to allow script ‘a‘ to continuously run in the background even after the user logs out or exit a shell.
- Script 2 – ‘a‘:
Creates a cron job to make the script persistent in the system.
As shown in fig 4, script ‘a’ is creating a cron job so that the script will be scheduled to run at regular intervals of time on the targeted computer. After creating the cron job, it executes the ‘run‘ script.
- Script 3 – ‘run‘:
Launches Monero miner binaries
As shown in fig 5, this script first retrieves the system configuration in ‘ARCH’ variable. Depending upon the value of ‘ARCH’ variable, different miner files which are present in the current directory will get executed and start Monero mining process. Here ‘h32‘ and ‘h64‘ are launchers for Monero miner files. Let’s look at few terms in this ‘run‘ script.
Cryptonight: It is a proof-of-work algorithm. Currently, it is one of the suitable CPU based mining algorithms. Apart from Monero (XMR), the Cryptonight algorithm can be used to mine other currencies like Bytecoin (BCN), Electroneum (ETN), etc. as well.
stratum+tcp: It’s a cryptocurrency mining protocol.
Wallet Address : It’s the wallet address wherein the Monero mining rewards will be transferred, thus its the Monero wallet address of the attacker.
Thus the miner carries all the binaries with itself and executes the binary after identifying the system configuration.
Monero miner post-infection activity
On successful execution, the Monero miner generates the below post-infection traffic.
In fig 7, we see the mining activity in action. In this case, md32 miner has been executed and it’s consuming 99.3% of CPU power to mine Monero (XMR) coin.
- Disable SSH Protocol if not used.
- Always have strong username and password for SSH login.
- Set a lockout policy which hinders guessing of credentials.
- Use a VPN to access a network, instead of exposing SSH to the Internet.
- Configure your Firewall in the following ways:
- Deny access to Public IPs to important ports
- Allow access to only IPs which are under your control
It is a myth that Linux is safe from malware and the fact is, attackers are well prepared to use Linux machines for mining. The market for cryptocurrencies is large and we can expect a rise in the attacks on Linux machines to mine cryptocurrencies.
Subject Matter Expert
Yogesh Bane, Quick Heal Security Labs