AT&T's Cybersecurity Branch Breaks Down Crypto Miner Threat to Email Servers

AT&T's Alien Labs is dipping its toes into cryptomining malware analysis with a new technological breakdown of how a monero miner infiltrates networks.

Released Thursday, the report by security researcher Fernando Domínguez provides a step-by-step walkthrough of how one rather low-profile cryptojacker infects and spreads across vulnerable Exim, Confluence and WebLogic servers, installing malicious code that mines monero through a proxy. Exim servers represent more than half of all email servers, according to ZDNet.

The worm first injects target servers with a BASH script that checks for, and kills, competing mining processes before attempting to infiltrate other known machines in the network. Crypto-miners often kill off competing miners when they infect a system, and for one very simple reason: The more CPU a different process hogs, the less is left over for others, according to the report.

Breached servers then download the script’s payload: an “omelette” (as the downloaded executable file variable is termed) based on the open-source monero miner called XMRig.

Available on GitHub, XMRig is a malware hacker favorite and a common building block in cryptojackers’ arsenal. It has been retrofitted into MacBook miners, spread across 500,000 computers and, in 2017, became so popular that malicious mining reports spiked over 400 percent.

This modified miner does its business via proxy, according to AT&T Alien Labs. That makes tracing the funds, or even discerning the wallet address, nearly impossible without proxy server access.

Frying this omelette is hard. When it downloads, another file called “sesame” – identical to the original BASH script – downloads as well. This is the key to the worm’s persistency: it hitches onto a cron job with a five-minute interval, enabling it to withstand kill attempts and system shutdowns. It can even automatically update with new versions.

AT&T Alien Labs began following the worm in June 2019. It had previously been studied by cloud security analysis firm Lacework in July.

Researchers don’t quite know how widespread this unnamed monero miner is. Alien Labs’ report admits that “it is hard to estimate how much income this campaign has reported to the threat actor,” but notes the campaign is “not very big.”

Nonetheless, it serves as a reminder to all server operators: Always keep your software patched and up to date.