Skip to content
Try it Free Request Your Demo
    January 14, 2022

    Cryptominer Campaign Targeting VMware vSphere Services for Coin Mining

    Research by: Siddharth Sharma

     

    The Uptycs Threat Research team recently identified some malicious shell scripts which specifically targets VMware vSphere. The vSphere encompasses several distinct products and technologies that work together to provide a complete infrastructure for virtualization. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner. The shell script also contains the command to download a user mode rootkit from the attacker’s web server that was possibly used to hide the malicious acts.

     

    Shell Script

    The shell script(hash: b46764c046e0db26e6f43f46364ac0acad173541e7134611cb64e091db7b7ced) in this mining campaign starts with setting the SELINUX mode to permissive. This disables SELinux temporarily using setenforce 0 2>/dev/null command (see Figure 1).



    Figure 1: setting SElinux to permissive

     

    The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker's web server. The attackers used wget utility to fetch the malicious components and chmod utility to make the components executable.

    The rootkit gets saved as libload.so and gets run with the ld_preload environment variable(see Figure 2).

     

    Figure 2: commands to download malicious components

     

    The commands in the script then modify the vsphere service in the way to run the Xmrig miner as shown below(see Figure 3)

    Figure 3: service creation to run Xmrig miner

     

    After service modification, the commands in the shell script reload the services(daemon) so that the miner process could be started(see Figure 4). The Commands used are:

     

    systemctl daemon-reload

    systemctl enable vsphereui.service

    systemctl enable vsphere.service

    systemctl start vsphere.service

     

    Figure 4: commands to restart services

     

    The mining operation is carried out using the wallet ID of the attacker “87ftP3g5Aa8BVWvfi4NQpSiSw4qYNvQm1CpUK2YpGxBoTwUA2S2GUE1NsiKUGP9pBrB6RDrKWTLKz11bXK5fsGhBSNMsUx9” over the pool gulf.moneroocean[.]stream:443.

     

    Figure 5: Xmrig config file



    At the time of writing, according to moneroocean[.]stream, the user was paid 8.942 XMR. 

     

    Rootkit

    The attackers also used the open source processhider rootkit for hiding the process . The processhider traverses the /proc filesystem in order to find the given process(in this case ‘crosbow’) and later hides the same.(see Figure 6)

     

      Figure 6: processhider rootkit disassembly

     

    Conclusion

    Cryptojacking campaigns mostly target the systems having high end resources. In this campaign as we saw the attackers tried to register the xmrig miner itself as a service(daemon) which runs whenever the system gets rebooted. In the past we have seen highly sophisticated groups targeting vulnerable Vmware services. Hence it becomes really important to monitor the suspicious processes, events, and network traffic spawned on the execution of any untrusted shell script. We will continue to monitor the developments of this campaign and share updates.

     

    Uptycs EDR Detections

    The Uptycs XDR detects the malicious activities of the shell script and also identifies the malicious IP used in this campaign with a threat score of 10/10.(see Figure 7&8)

     

    Figure 7: Uptycs EDR detections

     

    Figure 8:Uptycs EDR detections

     

    IOCs

    b46764c046e0db26e6f43f46364ac0acad173541e7134611cb64e091db7b7ced  shell script

    44cb9c1e139a06a86442c92b596a653659132fbc92986a2f5338630c90200af1 shell script

    acbb4f3f9a13845de0c1c23f06dcb554817e610318e57718e63ce6a57af4911c Xmrig miner

    791ce0a733ccf19ddccda8fa4c748d804460c5f5c61d8a3cdc41a0620f469991 rootkit

    93[.]95[.]227.64 Attackers web server

    gulf[.]moneroocean[.]stream

     

    To learn more about the latest threat research conducted by the Threat Research Team, check out our most recent threat bulletin.

     

     

    Uptycs Threat Research

    Research and updates from the Uptycs Threat Research team.

    Other posts you might be interested in