Xanthe - Docker Aware Miner

upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Content source
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
Cisco Talos recently discovered an interesting campaign affecting Linux systems employing a multi-modular botnet with several ways to spread and a payload focused on providing financial benefits for the attacker by mining Monero online currency. The actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to known hosts using ssh, or spreading to systems with an incorrectly configured Docker API.

WHAT'S NEW?​

We believe this is the first time anyone's documented Xanthe's operations. The actor is actively maintaining all the modules and has been active since March this year.

HOW DID IT WORK?​

The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.

SO WHAT?​

Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they look for the smallest crack to seep in, like we see in Xanthe's potential to spread using systems with exposed Docker API. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not specifically targeted at their infrastructure.
Click to expand...
The initial script, pop.sh, is a simple downloader script which downloads and runs the main bot module xanthe.sh, which then downloads and runs all additional modules. It is also tasked with scanning the network and spreading to other systems over SSH and by exploiting Docker daemon installations with exposed web API.

There are four modules that are downloaded and launched:
  • Process-hiding module libprocesshider.so
  • Shell script to disable other miners and security services
  • Shell script to remove Docker containers of competing Docker-targeting crypto mining trojans
  • XMRig binary together with a downloaded JSON configuration file, config.json

    image10.jpg
Click to expand...
blog.talosintelligence.com

Xanthe - Docker aware miner

By Vanja Svajcer and Adam Pridgen, Cisco Incident Command NEWS SUMMARY * Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways. * Cisco Talos recently discovered a cryptocurrency-mining...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • +Reputation
Reactions: [correlate], Andy Ful, harlan4096 and 5 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Google Cloud Build bug lets hackers launch supply chain attacks
Replies
1
Views
1,552
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
Security News Fake Google Meet conference errors push infostealing malware
Replies
2
Views
1,327
Security News
Andy Ful
Andy Ful
Gandalf_The_Grey
    • Wow
    • Like
Security News Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps
Replies
0
Views
1,643
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top