Exclusive A coin-mining malware infection previously only seen on ARM IoT devices has made the jump to Intel systems.
Akamai senior security researcher Larry Cashdollar says one of his honeypot systems recently turned up what appears to be an IoT malware that targets Intel machines running Linux.
“I suspect it’s probably a derivate of other IoT crypto mining botnets,” Cashdollar told The Register. “This one seems to target enterprise systems.”
In addition to being fine-tuned for Intel x86 and 686 processors, the malware looks to establish an SSH Port 22 connection and deliver itself as a gzip archive. From there, the malware checks to see if the machine has already been infected (at which point the installation stops) or if an earlier version is running and needs to be terminated. From there, three different directories are created with different versions of the same files.
“Each directory contains a variation of the XMrig v2.14.1 cryptocurrency miner in either x86 32bit or 64bit format,” the Akamai security ace explained. “Some of the binaries are named after common Unix utilities, like ps, in an attempt to blend into a normal process list.”
Cryptojacking isn’t a path to riches – payout is a lousy $5.80 a day
Following that step, the malware looks to install the cryptocurrency mining tool itself and modify the host system’s crontab file to make sure the malware runs even after a reboot. Additionally, the malware installs a shell script that allows it to communicate with the command and control server.
It seems that this attack was a matter of scumbags seeing an untapped market to expand their cryptocurrency mining operations into. In this case, when ARM and MIPS-powered devices with telnet connections dried up, the bad guys stepped up their game and began crawling for Intel systems that would accept files over SSH port 22.
In short, they pivoted from one type of low-hanging fruit to another.
“Criminals will continue to monetize unsecured resources in any way they can. System administrators need to employ security best practices with the systems they manage,” Cashdollar said.
“Unsecured services with unpatched vulnerabilities or weak passwords are prime targets for exploitation and abuse.” ®