SSH zombie host mining Trojan warning

SSH zombie host mining Trojan warning

XMR (Monroe coin) is one of the current electronic currencies such as bitcoin. With its anonymity, support for CPU mining, and high prices, it is favored by "black market. Hansi has developed a general mining mode by using Internet servers, as well as multiple mining backend Update servers. The attack and mining methods show that the black industry organization has stepped up from last year in terms of mutual competition and Trojan updating.

Monroe currency price trend chart

Event Description

Recently, hackers used SSH to crack the server and planted mining Trojans. We tracked multiple background Update servers.

The process of attacking servers and planting mining Trojans includes three steps:

1. Attackers can detect SSH services.

2. Attackers crack SSH service accounts and passwords.

3. Once the brute-force cracking succeeds, attackers can remotely download and run the mining program.

It is a mining Trojan background server. It can be seen that the server 116.196.120.20 has been downloaded January 26, 2018 times since on January 1, 1277. During its monitoring process, it is found that various programs are also frequently updated.

Where:

1. Program Carbon is the actual mining program.

2. The xm. sh file is a shell program executed after successfully logging on to the server.

This Code includes three parts:

• Attackers first kill other mining programs to ensure their own benefits. Note: The competition in the black market is becoming increasingly fierce.
• Remotely download the corresponding mining program from the server.
• Configure the mining pool and wallet address, and execute the mining program.

3. the xmm. sh file is the updated shell program. Compared with xm. sh, the mining pool link is modified. The goal is to select a mine pool with higher computing power.

4. procedure 1. ps1 is similar to xm in windows. sh script program also implements three similar functions. First, kill other mining programs, then remotely download the corresponding mining program on the server, and finally configure the mining pool and wallet address, execute the mining program.

5.program server.exe is a remote control Trojan program that connects to dx.777craft.com: 7777 after execution.

Competition among mining hackers is becoming increasingly fierce

Compared with the previous mining Trojans of the same type, this mining Trojan has been further improved in code. The mining script found earlier mainly kills the specific process name, currently, the mining process is mainly killed based on the ore pool information, which expands the effective scope. Comparison between two types of mining Trojans to kill other Trojans:

Hacker profit Estimation

According to the wallet address obtained from the current sample, the previous coin mining pool has submitted 34 XMR files to the attacker's wallet (about $8500, calculated at $250 of the current price ). However, the remaining seven XMR files in the wallet have been frozen due to the illegal mining of botnets identified by the mining pool:

Therefore, the attacker killed his previous mining program and registered a new wallet address for mining. The current wallet amount for the new address is as follows, we can see that a new mining address has been modified 15 days ago.

Based on the current information, the attacker has traced the access information and wallet addresses of more than 10 servers. The attacker has controlled at least 30 thousand hosts and obtained more than 300 Monroe coins, the current XMR (Monroe coin) price is nearly $0.1 million.

Mining IoC:

IP Address:

116.196.86.246: 7800

116.196.120.20: 7800

210.76.63.207: 3721

182.18.22.71: 80

Domain:

Dx.777craft.com: 7777

Wallet address:

Bytes

Bytes

This article permanently updates link: https://www.bkjia.com/Linux/2018-02/150997.htm