Beginninng in mid-December, 2020 a threat actor group launched a wide-spread attack
targeting Linux and Windows operating systems by dropping an XMRig Miner on targeted sites. An analysis of the function calls was provided by
Malware components targeting Linux OSs included a bash script, the worm and two miner scripts.
The C2 IP is located in Moldovia at: 185[.]239[.]242[.]71.
Malware components targeting the Windows OSs included a Powershell dropper script, the worm file and two miner files along with a Java server page.
Multiple IPs Discovered in Malicious Infrastructure targeting windows
An earlier version of the XMRig Miner targeted the Oracle WebLogic Server (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882), however, it appears this most recent release has modified targeting.
As noted by Mechtinger:
“The main method for initial access is via public facing services such as MySQL, Tomcat admin panel and Jenkins that have weak passwords. The worm will check if the port 52013 is listening, as it one of the indicator if the machine is already compromised by the worm. If the machine does not have the port listening, it will open a network socket on the port, otherwise the instance will exit. The XMRig Miner is embedded into malware and will be unpacked and dropped into the machine. Next the malware will scan the network in order to spread throughout the network. It will search for IP with the port 8080 for Tomcat and Jenkins and 3306 for MySQL which are open to brute force. If MySQL is successfully exploited, the malware will then perform local privilege escalation using mysql UDF. Once the exploitation process is completed, ld.sh for Linux and ld.ps1 for Windows will be dropped to the exploited service for the purpose of running the XMRig Miner and the Golang worm on the exploited service.“