Research by: Siddharth Sharma


The Uptycs Threat Research team recently identified some malicious shell scripts which specifically targets VMware vSphere. The vSphere encompasses several distinct products and technologies that work together to provide a complete infrastructure for virtualization. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner. The shell script also contains the command to download a user mode rootkit from the attacker’s web server that was possibly used to hide the malicious acts.


Shell Script

The shell script(hash: b46764c046e0db26e6f43f46364ac0acad173541e7134611cb64e091db7b7ced) in this mining campaign starts with setting the SELINUX mode to permissive. This disables SELinux temporarily using setenforce 0 2>/dev/null command (see Figure 1).


Figure 1: setting SElinux to permissive


The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker's web server. The attackers used wget utility to fetch the malicious components and chmod utility to make the components executable.

The rootkit gets saved as and gets run with the ld_preload environment variable(see Figure 2).



Figure 2: commands to download malicious components


The commands in the script then modify the vsphere service in the way to run the Xmrig miner as shown below(see Figure 3)


Figure 3: service creation to run Xmrig miner


After service modification, the commands in the shell script reload the services(daemon) so that the miner process could be started(see Figure 4). The Commands used are:


systemctl daemon-reload

systemctl enable vsphereui.service

systemctl enable vsphere.service

systemctl start vsphere.service



Figure 4: commands to restart services


The mining operation is carried out using the wallet ID of the attacker “87ftP3g5Aa8BVWvfi4NQpSiSw4qYNvQm1CpUK2YpGxBoTwUA2S2GUE1NsiKUGP9pBrB6RDrKWTLKz11bXK5fsGhBSNMsUx9” over the pool gulf.moneroocean[.]stream:443.



Figure 5: Xmrig config file

At the time of writing, according to moneroocean[.]stream, the user was paid 8.942 XMR.



The attackers also used the open source processhider rootkit for hiding the process . The processhider traverses the /proc filesystem in order to find the given process(in this case ‘crosbow’) and later hides the same.(see Figure 6)


fig6-2   Figure 6: processhider rootkit disassembly



Cryptojacking campaigns mostly target the systems having high end resources. In this campaign as we saw the attackers tried to register the xmrig miner itself as a service(daemon) which runs whenever the system gets rebooted. In the past we have seen highly sophisticated groups targeting vulnerable Vmware services. Hence it becomes really important to monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted shell script. We will continue to monitor the developments of this campaign and share updates.


Uptycs EDR Detections

Uptycs Extended Detection and Response (XDR) detects the malicious activities of the shell script and also identifies the malicious IP used in this campaign with a threat score of 10/10.(see Figure 7&8)



Figure 7: Uptycs EDR detections



Figure 8:Uptycs EDR detections



b46764c046e0db26e6f43f46364ac0acad173541e7134611cb64e091db7b7ced  shell script

44cb9c1e139a06a86442c92b596a653659132fbc92986a2f5338630c90200af1 shell script

acbb4f3f9a13845de0c1c23f06dcb554817e610318e57718e63ce6a57af4911c Xmrig miner

791ce0a733ccf19ddccda8fa4c748d804460c5f5c61d8a3cdc41a0620f469991 rootkit

93[.]95[.]227.64 Attackers web server



To learn more about the latest threat research conducted by the Threat Research Team, check out our most recent threat bulletin.