XMrig cryptocurrency mining malware, previously seen only on ARM devices, changed the attack vector and switched to Intel systems and servers.According to Akamai security researcher Larry Cashdollar, one of his traps was infected with malware for IoT devices targeting Linux-based Intel computers.
“I have been playing close attention to Internet of Things (IoT) malware targeting systems with Telnet enabled, while also collecting samples targeting systems with SSH enabled on port 22. I’ve collected over 650 samples landing in my honeypot within the last week. The honeypot allows logins using known default login credentials for root”, — said Larry Cashdollar.
In addition to configuring Intel x86 and 686 processors, the malware tries to establish an SSH connection and loads under the mask of a gzip archive. Next, the malware checks the computer for other malicious programs (at this stage the installation stops) or an earlier version that needs to be removed.
Next, the miner creates three different directories with different versions of the same files. Each folder contains a version of the crypto miner XMrig 2.14.1 in 32-bit or 64-bit format. Some binaries are named for various Unix utilities, such as ps, in an attempt to merge with the usual list of processes.
After that, the malware installs the cryptocurrency mining tool itself and modifies the crontab file to ensure operation after a computer reboot. A shell script is also installed to communicate with the C&C server.
“Criminals will continue to monetize insecure resources in every way possible”, — notes Larry Cashdollar.
What can be done?
According to the Akamai recommendations, System administrators need to employ best security practices with the systems they manage. Unsecured services with unpatched vulnerabilities or weak passwords are prime targets for exploitation and abuse. Strong passwords, a vulnerability remediation plan, and two factors of authentication can go a long way to keep systems secure from the most basic and common attacks.
User Review( votes)