Jump to content
Login new information ×
Login new information

CroniX CryptoMiner Kills Rivals to Reign Supreme

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

The operator of a new cryptomining campaign takes aggressive actions against its competition and halts other cryptojacking activity on the machines it claims.

 

https://s7d8.turboimg.net/sp/343f2ae6b3bbbc8389893ff026dcacf2/Monero.png

 

Cybercriminals are quick to take advantage of any proof-of-concept (PoC) exploit code that falls into their hands. For the recently disclosed Apache Struts vulnerability (CVE-2018-11776) there are multiple PoCs available, so news of the bug exploited in the wild came as no surprise.

 

Cryptomining is all the rage these days, and the Struts exploits have been adopted quickly by multiple actors.

 

With growing competition for the victim's CPU cycles, one attacker decided to force rival operations out of the machine.

Taking down the competition

A report from F5 Labs describes a new cryptomining campaign that targets Linux systems and identifies the processes of other cryptominers on the machine with the purpose of terminating them.

 

The researchers named this campaign CroniX, a moniker that derives from the malware's use of Cron to achieve persistence and Xhide to launch executables with fake process names.

 

The cryptocurrency minted on victim's computers is Monero (XMR), the coin of choice in cryptojacking activities.

 

To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system.

 

https://s7d4.turboimg.net/sp/a92db681a3e3dc1437721c5e88e371d9/kill_and_delete.png

 

Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.

 

"This is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system," F5 speculates.

 

https://s7d6.turboimg.net/sp/b8029cc77046584ca026bae2c29af152/CPU_usage.png

 

Exploiting CVE-2018-11776 allows injecting Object-Graph Navigation Language (OGNL) expressions that may include malicious code, like the Coinhive JavaScript miner for Monero. With CroniX, the injection point is in the URL.

 

"The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file," the report explains.

 

Although F5 Labs observed this campaign targeting Linux systems with Apache Struts, the researchers discovered evidence that an operation aimed at Windows machines is currently underway.

 

CroniX is just the latest cryptomining campaign leveraging the CVE-2018-11776 vulnerability. The first one taking advantage of the public PoCs was reported last week.

 

Source

 

Link to comment
Share on other sites
  • Views 320
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...