Pierluigi Paganini September 02, 2019

Akamai researcher Larry Cashdollar reported that a cryptocurrency miner that previously hit only Arm-powered IoT devices it now targeting Intel systems.

The popular researcher Larry Cashdollar, from Akamai SIRT, announced in exclusive to The Register, that he observed a miner that previously hit only Arm-powered IoT devices targeting Intel systems.

The researchers revealed that one of his honeypots was hit by this IoT malware that targets Intel machines running Linux.

“I suspect it’s probably a derivate of other IoT crypto mining botnets,” Cashdollar told The Register. “This one seems to target enterprise systems.”

The expert explained that the XMR cryptominer was optimized for Intel x86 (both 32bit or 64bit architecture) and Intel 686 processors.

The malware attempt to connect via SSH on Port 22 and deliver itself as a gzip archive.

“The malware is uploaded as gzip compressed tarball archives of binaries, scripts, and libraries. The libraries reside under the directory c/lib  I thought it would be required to run the binaries in the tarball, but the binaries are compiled statically, so the libraries are extraneous.” wrote Cashdollar.

The IoT malware first checks if the machine has already been infected, if it is the first time the malicious code hit the device it creates three different directories with different versions of the same files.

“Each directory contains a variation of the XMrig v2.14.1 cryptocurrency miner in either x86 32bit or 64bit format,” continues the expert.“Some of the binaries are named after common Unix utilities, like ps, in an attempt to blend into a normal process list.”

The expert discovered that the script executes init2, that is one of the files in the gzip archive, if the directory .firefoxcatche (sic) doesn’t exist. The presence of this directory indicates that the crypto miner already infected the device. The script init2 kills any previous versions of the miner software that might be running, and installs itself. It gains persistence by adding entries to crontab.

Additionally, the malware installs a shell script that uses to communicate with the command and control server.

The attack originates from clusters of compromised systems in the Americas, Asia, and Europe.

Cashdollar explained that threat actors started scanning the Internet for Intel systems that would accept files over SSH port 22 to maximize their efforts. Summarizing, crooks extended the list of targets passing from Arm and MIPS-powered devices to Intel systems. 

“Criminals will continue to monetize unsecured resources in any way they can.  System administrators need to employ security best practices with the systems they manage.”  Cashdollar concludes. “Unsecured services with unpatched vulnerabilities or weak passwords are prime targets for exploitation and abuse. Strong passwords, a vulnerability remediation plan, and two factors of authentication can go a long way to keep systems secure from the most basic and common attacks.”

Pierluigi Paganini

(SecurityAffairs – Miner, Intel servers)

[adrotate banner=”5″]

[adrotate banner=”13″]