{"id":86293,"date":"2018-05-22T17:14:28","date_gmt":"2018-05-22T11:44:28","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86293"},"modified":"2018-05-22T18:10:00","modified_gmt":"2018-05-22T12:40:00","slug":"cryptocurrency-mining-rampage-throttles-linux-machines","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cryptocurrency-mining-rampage-throttles-linux-machines\/","title":{"rendered":"Cryptocurrency mining rampage throttles Linux machines \u2013 an analysis by Quick Heal Security Labs"},"content":{"rendered":"

Quick Heal Security Labs recently came across a Linux-based Monero (XMR) miner. Monero (XMR) is one of the top 15 cryptocurrencies. It can be mined easily on any machine using its CPU computation power. This is one of the reasons why it is preferred to Bitcoin or Ethereum which are more famous than Monero. Earlier, we had also written about a Windows-based cryptocurrency miner<\/u><\/a>. \u00a0In this blog post, we will dive into a detailed analysis of the Linux-based Monero miner.<\/p>\n

Infection chain<\/b><\/strong><\/p>\n

‘c3.sh’<\/b><\/strong>\u00a0is a source file for this Monero mining campaign. Most probably, the script (c3.sh) might be injected in the targeted machine through SSH brute force attack.<\/p>\n

\"\"
Fig 1: Linux Monero miner infection chain<\/figcaption><\/figure>\n

Let\u2019s dive into the infection chain of Linux Monero miner.<\/p>\n

    \n
  • Shell scripts (c3.sh<\/b><\/strong>) to deliver the Monero miner:<\/li>\n<\/ul>\n
    \"Fig
    Fig 2: c3.sh script<\/figcaption><\/figure>\n

    As shown in fig 2, using the ‘nproc<\/b><\/strong>‘ command, ‘c3.sh’<\/b><\/strong>\u00a0Shell script checks for the number of CPU cores present in the user’s system. If it is less than or equal to 4, then the script will terminate otherwise it will perform the following tasks:<\/p>\n

      \n
    • Kill all processes related to Monero mining if already present on the user\u2019s system<\/li>\n
    • Download the Monero miner files (tar<\/b><\/strong>) from a remote location<\/li>\n
    • Unzip mine68b.tar and give permissions to all unzipped contents using the chmod <\/b><\/strong>command<\/li>\n
    • Execute script ‘x’<\/li>\n<\/ul>\n

      After unzipping ‘mine68b.tar<\/b><\/strong>‘, the following files are dropped:<\/p>\n

        \n
      • <\/b>x<\/b><\/strong>: Shell scripts<\/li>\n
      • <\/b>a<\/b><\/strong>: Shell script<\/li>\n
      • <\/b>run<\/b><\/strong>: Shell script<\/li>\n
      • <\/b>h32<\/b><\/strong>: Launcher of Monero miner for 32 bit system<\/li>\n
      • <\/b>h64<\/b><\/strong>: Launcher of Monero miner for 64 bit system<\/li>\n
      • <\/b>md<\/b><\/strong>: Monero Miner file<\/li>\n
      • <\/b>md32<\/b><\/strong>: Monero Miner file<\/li>\n
      • <\/b>mdx<\/b><\/strong>: Monero Miner file<\/li>\n<\/ul>\n

        Let’s discuss the contents of mine68b.tar <\/b><\/strong>in detail.<\/p>\n

          \n
        • Script 1 – ‘x<\/b><\/strong>‘:<\/li>\n<\/ul>\n

          This one line shell script uses the ‘nohup<\/b><\/strong>‘ command to allow script ‘a<\/b><\/strong>‘ to continuously run in the background even after the user logs out or exit a shell.<\/p>\n

          \"Fig
          Fig 3: Use of nohup command to execute script ‘a’<\/figcaption><\/figure>\n
            \n
          • Script 2 – ‘a<\/b><\/strong>‘:<\/li>\n<\/ul>\n

            Creates a cron job to make the script persistent in the system.<\/p>\n

            \"\"
            Fig 4: Creation of cron job<\/figcaption><\/figure>\n

            As shown in fig 4, script ‘a’ is creating a cron <\/b><\/strong>job so that the script will be scheduled to run at regular intervals of time on the targeted computer. \u00a0After creating the cron job, it executes the ‘run<\/b><\/strong>‘ script.<\/p>\n

              \n
            • Script 3 – ‘run<\/b><\/strong>‘:<\/li>\n<\/ul>\n

              Launches Monero miner\u00a0 binaries<\/p>\n

              \"\"
              Fig 5: Execution of Monero miner file<\/figcaption><\/figure>\n

              As shown in fig 5, this script first retrieves the system configuration in ‘ARCH’ variable. Depending upon the value of ‘ARCH’ variable, different miner files which are present in the current directory will get executed and start Monero mining process. Here ‘h32<\/b><\/strong>‘ and ‘h64<\/b><\/strong>‘ are launchers for Monero miner files. \u00a0Let’s look at few terms in this ‘run<\/b><\/strong>‘ script.<\/p>\n

              Cryptonight:<\/b><\/strong>\u00a0It is a proof-of-work algorithm. Currently, it is one of the suitable CPU based mining algorithms. Apart from Monero (XMR),\u00a0<\/b><\/strong>the\u00a0Cryptonight<\/b><\/strong>\u00a0algorithm can be used to mine other currencies like Bytecoin (BCN), Electroneum (ETN), etc. as well.<\/p>\n

              stratum+tcp: <\/b><\/strong>It\u2019s a cryptocurrency mining protocol.<\/p>\n

              Wallet Address : <\/strong>It\u2019s the wallet address wherein the Monero mining rewards will be transferred, thus its the Monero wallet address of the attacker.<\/p>\n

              Thus the miner carries all the binaries with itself and executes the binary after identifying the system configuration.<\/p>\n

              Monero miner post-infection activity<\/b><\/strong><\/p>\n

              On successful execution, the Monero miner generates the below post-infection traffic.<\/p>\n

              \"\"
              Fig 6. Post infection traffic of Monero Miner<\/figcaption><\/figure>\n

              In fig 7, we see the mining activity in action. In this case, md32<\/b><\/strong>\u00a0miner has been executed and it\u2019s consuming 99.3% of CPU power to mine Monero (XMR) coin.<\/p>\n

              \"\"
              Fig 7: Monero mining Activity<\/figcaption><\/figure>\n

              Safety Measures<\/strong><\/p>\n

                \n
              • Disable SSH Protocol if not used.<\/li>\n
              • Always have strong username and password for SSH login.<\/li>\n
              • Set a lockout policy which hinders guessing of credentials.<\/li>\n
              • Use a VPN to access a network, instead of exposing SSH to the Internet.<\/li>\n
              • Configure your Firewall in the following ways:\n
                  \n
                1. Deny access to Public IPs to important ports<\/li>\n
                2. Allow access to only IPs which are under your control<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n

                  Conclusion<\/b><\/strong><\/p>\n

                  It is a myth that Linux is safe from malware and the fact is, attackers are well prepared to use Linux machines for mining. The market for cryptocurrencies is large and we can expect a rise in the attacks on Linux machines to mine cryptocurrencies.<\/p>\n

                  Subject Matter Expert<\/strong><\/p>\n

                  Yogesh Bane, Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"

                  Quick Heal Security Labs recently came across a Linux-based Monero (XMR) miner. Monero (XMR) is one of the top 15 cryptocurrencies. It can be mined easily on any machine using its CPU computation power. This is one of the reasons why it is preferred to Bitcoin or Ethereum which are more famous than Monero. Earlier, […]<\/p>\n","protected":false},"author":43,"featured_media":86305,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,5],"tags":[1556,1053,49,1607,1533],"class_list":["post-86293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-security","tag-cryptocurrency","tag-linux","tag-malware","tag-mining","tag-monero"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86293"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86293"}],"version-history":[{"count":8,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86293\/revisions"}],"predecessor-version":[{"id":86320,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86293\/revisions\/86320"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/86305"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}