High
An active cryptomining worm attack installing a cryptominer. These attacks appear to be targeting vulnerable Exim, Confluence, and WebLogic servers. After the system is compromised, a deployment BASH script is downloaded and executed. If the system is already infected, the script terminates the mining processes. It then checks the known_hosts file for other potential hosts to infect. Next it downloads an ELF binary named “omelette” and another BASH script called “sesame”. Downloading takes place through wget, curl, python2/3, or php, whichever is available on the infected system. Infection can take place on x86, x86-64, and AArch64 architectures and appropriate binaries are available for each. A cron job that runs sesame every five minutes provides persistence. If the system utilizes systemd, a service called “cloud-agent” is created as well. The miner deployed is a modified version of an open-source XMRig Monero miner.
IP
MD5
SHA-256
SHA1