• Курсы Академии Кодебай, стартующие в мае - июне, от команды The Codeby

    1. Цифровая криминалистика и реагирование на инциденты
    2. ОС Linux (DFIR) Старт: 16 мая
    3. Анализ фишинговых атак Старт: 16 мая Устройства для тестирования на проникновение Старт: 16 мая

    Скидки до 10%

    Полный список ближайших курсов ...


In this article, we will talk about a campaign which is being run by Chinese Cyber criminals and this time they don’t want to watch what we are doing, her they want some resou s from our system to mine cryptocurrency.

Some researchers from Barracuda have researched about a new variant of Golang (a high level language) malware that is making victim's machine a cryptominer. This malware does not affect our local machines, her it targets the back end s which are either running on or windows. They directly attack on the backbone of a web application framework and some vulnerabilities in the . After getting settled inside the machine, they start to mine Monero Cryptocurrency . Unlike other cryptocurrencies, Monero is an open-sou cryptocurrency created in April 2014 that focuses on privacy and decentralization. Monero uses an public ledger which means that anybody can broadcast or send transactions but sender and receiver always remain unknown about their origin. This open sou cryptocurrency is used for illegal purposes and generally the evil actors use this cryptocurrency to accept payments anonymously from their victims. Let's see the anatomy of the attack.

After getting installed in the , this malware start downloading some files from its C&C . The first file it downloads is an init script. This init script sets an environment for the cryptominer to run the actual cryptominer on the target . Based on the attacking architecture, this malware install init.sh or init.ps1 based on the architecture of device, init.sh for Linux and init.ps1 for Windows. The researchers behind this malware also said that this init script for linux is even capable of removing competing miners and malwares, blocking ports, adding backdoor keys, and disabling SELINUX . The next script the malware downloads is the update script (same as .sh or .ps1 for Linux and Windows respectively), that run as a scheduled task in the .

After these scrips get installed in the victim's , the malware download the actual cryptominer sysupdate in the victim's which is actually a XMRig Miner to mine the Monero cryptocurrency. This XMRig Miner is a legitimate cryptocurrency mining program that is used to mine for cryptocurrency using a computer's CPU. This miner is a open sou miner and is generally used by malware or trojan developers to extract cryptocurrency from the system.

After miner get started on the victim's system, the malware calls a watchdog from its command and control to monitor all the processes. This watchdog monitors all the processes, and check that the miner is working properly and all the components are updated. If the connection gets lost, this watchdog re initiates the connection to the . This watchdog gets installed as a sysguard or sysguard.exe based on the architecture of the victim's device.

In the next step, the malware installs a clean.bat file that works as a backdoor in the victim's system. After that a scanner is installed as networkservice or networkservice.exe based on the architecture. This file will search for vulnerable machines inside the network of the machine and installs this malware in the neighbors machines if found vulnerable and report the machine status to the command and control of the malware which is hxxp: // .

Additionally, this malware tries to vulnerabilities of the and the which is targeted mostly is that running Think PHP framework as it is the most popular in china. Here is the list of some vulnerabilities which this malware tries to install in the target :


Screenshot _240_.png
Мы в соцсетях:

Обучение наступательной кибербезопасности в игровой форме. Начать игру!