XMrig crypto miner switches from ARM devices to Intel servers

XMrig switches to Intel servers
Written by Brendan Smith

XMrig cryptocurrency mining malware, previously seen only on ARM devices, changed the attack vector and switched to Intel systems and servers.

According to Akamai security researcher Larry Cashdollar, one of his traps was infected with malware for IoT devices targeting Linux-based Intel computers.

“I have been playing close attention to Internet of Things (IoT) malware targeting systems with Telnet enabled, while also collecting samples targeting systems with SSH enabled on port 22. I’ve collected over 650 samples landing in my honeypot within the last week. The honeypot allows logins using known default login credentials for root”, — said Larry Cashdollar.

In addition to configuring Intel x86 and 686 processors, the malware tries to establish an SSH connection and loads under the mask of a gzip archive. Next, the malware checks the computer for other malicious programs (at this stage the installation stops) or an earlier version that needs to be removed.

Next, the miner creates three different directories with different versions of the same files. Each folder contains a version of the crypto miner XMrig 2.14.1 in 32-bit or 64-bit format. Some binaries are named for various Unix utilities, such as ps, in an attempt to merge with the usual list of processes.

Read also: Researchers discovered a new malicious campaign targeting plugins for WordPress

After that, the malware installs the cryptocurrency mining tool itself and modifies the crontab file to ensure operation after a computer reboot. A shell script is also installed to communicate with the C&C server.

“Criminals will continue to monetize insecure resources in every way possible”, — notes Larry Cashdollar.

What can be done?

According to the Akamai recommendations, System administrators need to employ best security practices with the systems they manage. Unsecured services with unpatched vulnerabilities or weak passwords are prime targets for exploitation and abuse. Strong passwords, a vulnerability remediation plan, and two factors of authentication can go a long way to keep systems secure from the most basic and common attacks.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.