XMrig crypto miner switches from ARM devices to Intel servers

by Brendan Smith
April 3, 2021

XMrig cryptocurrency mining malware, previously seen only on ARM devices, changed the attack vector and switched to Intel systems and servers.

According to Akamai security researcher Larry Cashdollar, one of his traps was infected with malware for IoT devices targeting Linux-based Intel computers.

“I have been playing close attention to Internet of Things (IoT) malware targeting systems with Telnet enabled, while also collecting samples targeting systems with SSH enabled on port 22. I’ve collected over 650 samples landing in my honeypot within the last week. The honeypot allows logins using known default login credentials for root”, — said Larry Cashdollar.

In addition to configuring Intel x86 and 686 processors, the malware tries to establish an SSH connection and loads under the mask of a gzip archive. Next, the malware checks the computer for other malicious programs (at this stage the installation stops) or an earlier version that needs to be removed.

Next, the miner creates three different directories with different versions of the same files. Each folder contains a version of the crypto miner XMrig 2.14.1 in 32-bit or 64-bit format. Some binaries are named for various Unix utilities, such as ps, in an attempt to merge with the usual list of processes.

Read also: Researchers discovered a new malicious campaign targeting plugins for WordPress

After that, the malware installs the cryptocurrency mining tool itself and modifies the crontab file to ensure operation after a computer reboot. A shell script is also installed to communicate with the C&C server.

“Criminals will continue to monetize insecure resources in every way possible”, — notes Larry Cashdollar.

What can be done?

According to the Akamai recommendations, System administrators need to employ best security practices with the systems they manage. Unsecured services with unpatched vulnerabilities or weak passwords are prime targets for exploitation and abuse. Strong passwords, a vulnerability remediation plan, and two factors of authentication can go a long way to keep systems secure from the most basic and common attacks.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending