F5 threat researchers discovered a new cryptocurrency-mining malware targeting Linux systems via the SSH protocol. This malware is written in the Python scripting language and is designed to infect systems and join them together in a botnet, dubbed PyCryptoMiner, for the purpose of mining Monero cryptocurrency. It scans for vulnerable Linux systems that have SSH (port 22) exposed and conducts a brute-force attack until it discovers the correct SSH login credentials. Once the botnet gains access, it deploys a base64-encoded spearhead Python script that connects to a C2 server to retrieve and executes additional Python code to infect the system. It maintains persistence by registering as a cron job that is scheduled to run every six hours. PyCryptoMiner also collects the Host/DNS name, the OS name and architecture, the number of CPUs, and the CPU usage, and sends it to the C2 server. If the C2 server is unavailable, it leverages a specific Pastebin.com post the perpetrator controls to receive new C2 assignments. According to the perpetrator’s Pastebin account, PyCryptoMiner was updated on December 12 to include the ability to locate and exploit JBoss Application Servers that contain vulnerability CVE-2017-12149. According to F5, this campaign has generated approximately $60,000 worth of Monero and the perpetrator, known as “Xinqian Rhys,” is associated with over 235 email addresses and nearly 36,000 domains, some of which have been registered since 2012.
The NJCCIC recommends all users and administrators of Linux systems and JBoss Application Servers review the F5 report and examine vulnerable systems for activity associated with cryptocurrency mining such as unexplained high CPU usage. Disable SSH port 22 on systems exposed to the internet or, if SSH is needed in your environment, secure it using complex login credentials and multi-factor authentication. Also, consider implementing an IP address ban after a set number of failed login attempts. Administrators of affected JBoss Application Servers are encouraged to review the associated Red Hat Advisory and either apply the recommended workaround or update to an unaffected package.
Reporting and Technical Details:
- January 2018: New Python-Based Crypto-Miner Flying under the Radar (F5)
- January 2018: CVE-2017-12149 (Red Hat Portal)