Xmrig Miner

Software updated 9 months ago (2024-10-17T12:07:11.768Z)

Download STIX

Preview STIX

XMRig Miner is an open-source CPU/GPU miner software that supports numerous protocols. It's used in various cyber-attack campaigns to execute mining activities, often through the use of a dropper. The dropper is responsible for orchestrating the installation and execution of the legitimate application, I2P tooling, and XMRig miner. Utilizing I2P, the dropper downloads a custom XMRig miner and manages the mining operations. The dropper generates and executes a script to download, configure, and execute a copy of the XMRig miner. In some cases, the XMRig Download Script sends the miner a config via its native API. Threat actors have used XMRig miner in their attacks, often paralleling techniques from previous campaigns such as the yearlong campaign revealed by Wiz in July, which used Selenium Grid as a vector to deploy the XMRig miner. In these instances, attackers ensure all cloud monitoring and security services are terminated or deleted before beginning mining activities. They then download the XMRig miner and execute it via an ELF file payload, hijacking system resources in the process. The attackers also use multiple cron jobs to maintain persistence. For Windows operating systems, the attackers use a malicious script that downloads all the tools required for unpacking and executing the Xmrig miner. They leverage the Selenium WebDriver API to run Python with a reverse shell, deploying scripts to download a modified XMRig miner. The process "AddinProcess.exe" is created to host the XMRig miner, writing the XMRig payload within this process and running it. This activity underscores the adaptability of threat actors and the importance of maintaining robust cybersecurity measures to protect against such threats.

Description last updated: 2024-10-17T12:07:11.749Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Xmrig is a possible alias for Xmrig Miner. XMRig is a high-performance mining software used for cryptocurrency, particularly Monero. This software has been utilized in various cyber attacks to exploit system resources and conduct cryptojacking activities. The operation begins with a dropper, which is responsible for the orchestration of the	8

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Xmrig

Malware

Payload

Python

Docker

Linux

Loader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Pyloose Malware is associated with Xmrig Miner. In July, Wiz researchers issued a warning about PyLoose, a malicious software (malware) composed of Python code. This malware is designed to covertly load an XMRig miner—a program used for cryptocurrency mining—into a computer's memory using the memfd Linux fileless process. This technique allows th	is related to	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-22527 Vulnerability is associated with Xmrig Miner. CVE-2023-22527 is a critical vulnerability found in Atlassian's Confluence Server and Data Center. This flaw, rated 10 out of 10 on the CVSS v3 scale, is a template injection issue that allows an unauthenticated attacker to execute remote code. The vulnerability specifically affects outdated version	Unspecified	2

Source Document References

Information about the Xmrig Miner Software was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	10 months ago	Hackers Proxyjack & Cryptomine Selenium Grid Servers
Securityaffairs	10 months ago	Threat actors exploit Atlassian Confluence bug in cryptomining campaigns
DARKReading	10 months ago	Attackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking
Trend Micro	10 months ago	Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem
MITRE	2 years ago	TeamTNT with new campaign aka “Chimaera”
Checkpoint	a year ago	29th July – Threat Intelligence Report - Check Point Research
Trend Micro	a year ago	Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
Securityaffairs	a year ago	Cryptojacking campaign targets exposed Docker APIs
DARKReading	a year ago	Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth
Fortinet	2 years ago	2022 IoT Threat Review \| FortiGuard Labs
CERT-EU	2 years ago	Meet PyLoose – First Python-Based Fileless Attack in the Wild
CERT-EU	2 years ago	Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
DARKReading	a year ago	'Fluffy Wolf' Spreads Meta Stealer in Corporate Phishing Campaign
CERT-EU	a year ago	Cyber Security Week in Review: January 19, 2024
InfoSecurity-magazine	a year ago	New Malware Campaign Exploits 9hits in Docker Assault
CERT-EU	2 years ago	‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer
MITRE	2 years ago	Blue Mockingbird activity mines Monero cryptocurrency
CERT-EU	a year ago	New Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners
CERT-EU	2 years ago	Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CrowdStrike	2 years ago	CrowdStrike Uncovers I2Pminer MacOS Mineware Variant