Level 52
Content Creator
Malware Hunter
A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed.

The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources.

As Sucuri's security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method — most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials.