Over the past few days, I have been noticing a new threat for Linux operating systems and It was actually a night of September 19th, 2018 when I saw a new Linux malware that has been spreading in wild to form a botnet from the compromised machines and further spreading to add more victims to its network. The malware once exploits a vulnerability in your machine, drops several files and engages in cryptocurrency mining – using your PC resources behind your back to mine coins for someone else – and in addition, it turns it into a botnet and launches a further attack from that compromised machine. Below is the attack vector for the malware:
- A brute force attack against SSH accounts.
- Drops and executes pre-compiled binary once gets a foothold of a system.
- Modify system to ensure malware persistence.
- Start mining cryptocurrencies on the victim’s GPU or CPU.
- Runs a scan and exploits other systems on the network and adds them to a network of a bot.
For this, I planned to compromise one of my Ubuntu machines and after running the initial script from that C2 server that came as a payload to us… everything happened automatically then. It dropped several script files and executed the commands that were contained in them. The C2 had three scripts on the server: worldwest.sh, miner.sh and scanner.sh. The worldwest.sh is the main script and had commands for downloading files from other scripts.
After running this script I found few files that were dropped in my var/tmp folder and /tmp folder. These were the other script files and some ELF executable files that could be a malware. tcpconnect_zmap_xxx and bruteforce_ssh_xxx looked more suspicious to me and could contain the actual code for further attack. Out of these dropped files, it was surprising to see that the file “xrig_arm” it dropped from one of the GitHub links which mine cryptocurrency on Raspberry Pi devices. Below you can see the dropped files in the images.
Malware also ran a scan on my network with the help of file that it dropped i.e. “tcpconnect_zmap_xxx” and was trying to infect other systems on the same network.
The malware has a capability to run mining in the background as a process even if a user logs off or the machine restarts. Prefixing a command with nohup prevents the command from being aborted automatically when a user logs out or exit the shell. The attacker has combined the malware command with nohup and appended it to
Below you can see CryptoNight miner running in the background as a process. I have also checked after restarting my machine and it launches every time I open a new terminal.
Another capability that malware has is that it turns the victim’s machine into a botnet and launch further attacks from that compromised machine. And after fully compromising my machine, I checked the traffic that I captured with Wireshark and noticed that my machine has launched similar attacks to several other IPs. But most of the request was for exploiting routers. Probably, this malware exploits IoT devices just like Mirai Malware. Below you can see some of the attacks which were carried out from my compromised machine as it became a part of a botnet. The Source IP for the compromised machine was 10.0.2.15.
When I executed this mining tool in one of my test machines, it connected to the above-mentioned C2 site and began mining Monero using the CryptoNight algorithm.
To do the testing, I set up an x86 machine with Intel i5 core processor and 3 Gigs of RAM and running the latest Ubuntu 18.04 distro. With hashing rate of 41.1 H/s (hashes per second) and the specification like I mentioned, the miner would make approximately $2.15 per month.
Also, looking more into the Wireshark logs I found some of the POST requests where the miner is trying to send the status of the mining task that it has completed to the C2 server. See below.