Xmrig

Software updated 9 months ago (2024-10-17T12:07:11.133Z)

Download STIX

Preview STIX

XMRig is a high-performance mining software used for cryptocurrency, particularly Monero. This software has been utilized in various cyber attacks to exploit system resources and conduct cryptojacking activities. The operation begins with a dropper, which is responsible for the orchestration of the installation and execution of legitimate applications like the I2P tooling and the XMRig miner. Utilizing I2P, the dropper downloads a custom XMRig miner and manages the mining operations. Both i2pd and XMRig use legitimate file paths to mask their execution, making detection more challenging. The significant impact of these attacks is resource hijacking, where the XMRig miner exhausts the server's CPU resources. This situation occurs whether it's third-party proxyware or the XMRig Monero miner that perfctl drops onto a compromised server. Once the attacker has assembled their botnet, they can then use it for future malicious but profitable activities such as cryptocurrency mining, DDOS attacks, spam distribution, and data theft. The Dota3 botnet, known for its involvement in cryptojacking, deploys XMRig agents to compromised systems, indicating its primary purpose is to engage in crypto mining. The attack process involves several steps. Initially, the "check.sh" script creates necessary directories and verifies if the host hasn't been infected yet. If the host is the first to be infected, it downloads the "config.sh" from the attacker's IP and the XMRig coin miner from Github. The miner sets the pool URL with credentials using "config.json". To maintain persistence, the attacker uses multiple cron jobs, downloads the XMRig miner, and ensures all security tools are disabled before starting mining activities. A notable example is the exploitation of the critical vulnerability CVE-2023-22527 for cryptojacking activities, as reported by Trend Micro. After ensuring all cloud monitoring and security services are terminated or deleted, the attacker terminates the entry point process that exploits CVE-2023-22527 and downloads the XMRig miner to begin mining activities.

Description last updated: 2024-10-17T12:07:11.108Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Xmrig Miner is a possible alias for Xmrig. XMRig Miner is an open-source CPU/GPU miner software that supports numerous protocols. It's used in various cyber-attack campaigns to execute mining activities, often through the use of a dropper. The dropper is responsible for orchestrating the installation and execution of the legitimate applicati	8
Xmrig Crypto Miner is a possible alias for Xmrig. XMRig is a high-performance, open-source cryptocurrency mining software that allows users to mine Monero (XMR), among other cryptocurrencies. The software has been identified in several instances of unauthorized crypto-mining activities, often used in conjunction with other malicious software to exp	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Xmrig Miner

Payload

Cryptominer

Botnet

Linux

SSH

Ddos

Bot

Vulnerability

Exploit

Loader

Macos

Docker

Xmrig Crypto...

Windows

Github

Cron

PowerShell

Source

Python

Backdoor

Rootkit

Ddos Botnet

Trojan

Dropper

Downloader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Shellbot Malware is associated with Xmrig. ShellBot is a malicious software (malware) variant that has been actively targeting poorly managed Linux SSH servers. As reported by Hacker News and HackRead in March 2023, this Perl-based DDoS bot deploys different variants to exploit these servers. ShellBot, along with another DDoS malware called	Unspecified	2
The Rapperbot Malware is associated with Xmrig. RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that wh	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-22527 Vulnerability is associated with Xmrig. CVE-2023-22527 is a critical vulnerability found in Atlassian's Confluence Server and Data Center. This flaw, rated 10 out of 10 on the CVSS v3 scale, is a template injection issue that allows an unauthenticated attacker to execute remote code. The vulnerability specifically affects outdated version	Unspecified	3

Source Document References

Information about the Xmrig Software was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	9 months ago	Perfctl Malware targets Linux servers in cryptomining campaign
DARKReading	9 months ago	Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
Contagio	9 months ago	2024-09-24 Linux Malware Cryptocurrency Miners, DONUT LOADER, RUDEVIL RAT, KAIJI- Stager and DDoS botnet samples
SANS ISC	10 months ago	Hygiene, Hygiene, Hygiene! [Guest Diary] - SANS Internet Storm Center
Fortinet	10 months ago	Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 \| FortiGuard Labs
Securityaffairs	10 months ago	Threat actors exploit Atlassian Confluence bug in cryptomining campaigns
DARKReading	10 months ago	Attackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking
Trend Micro	10 months ago	Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem
DARKReading	a year ago	Ransomware Actor Uses TeamViewer to Gain Initial Access to Networks
BankInfoSecurity	a year ago	Multiple Threat Actors Moving Quickly to Exploit PHP Flaw
Securityaffairs	a year ago	Multiple threat actors exploit PHP flaw CVE-2024-4577 to deliver malware
Trend Micro	a year ago	Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
DARKReading	a year ago	Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth
CERT-EU	a year ago	Novel Migo malware impacts Redis servers
Securityaffairs	a year ago	Linux Malware targets misconfigured misconfigured Apache Hadoop, Confluence, Docker, and Redis servers
Trend Micro	a year ago	Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
Securityaffairs	a year ago	Hackers hijacked the eScan Antivirus update mechanism in malware campaign
Securityaffairs	a year ago	Threat actors actively exploit JetBrains TeamCity flaws to deliver malware
DARKReading	a year ago	'Fluffy Wolf' Spreads Meta Stealer in Corporate Phishing Campaign
CERT-EU	a year ago	You’re going to start seeing more tax-related spam, but remember, that doesn’t actually mean there’s more spam