Romanian Crypto Mining Infection
While examining my honeypot logs and digging through the newly downloaded binaries last week, I noticed a large compressed file. I figured it would be a crypto miner, typically a tar archive and gzip (normally erroneously) compressed. I moved the archive over to my test lab and started examining the contents.
While crypto mining malware is not new, it was interesting to find a package that deviates from the improperly packed tar packages I'm used to finding. This miner installs XMRig and Perl DDoS IRC Bot v1.0, and it hides its crypto mining activity by using a rootkit similar to other reported crypto miners. It came with the source code to the rootkit as well, which was a nice surprise, along with the compile and installation script.
The tarball contained the following files:
sftp-server is a renamed version of XMRig
xmrig-notls is XMRig without tls support
python.txt is a base64 encoded Perl Bot DDoS script
Install installs the crypto miner while clearing the bash history
Init script to kill off other crypto mining processes
prchid install script for libprocesshider.so
prchid.c source code to libprocesshider.so
config.json xmrig configuration
cron cron entry starting up the malware upon reboot
cron.d a smaller version of the above script
.procs contains output redirected from init script
dir.dir install path from cron script
.out 0 byte redirected output file from init script
I'll step through the more interesting files listed above, as well as decode and examine their purpose.
The sftp-server is XMRig v5.5.1 with TLS enabled and xmrig-notls is without TLS support. This binary is generally found packaged with crypto mining malware, slightly disguised as some other utility or binary, but its large size tends to give it away.
Python.txt is a Perl script that has been encoded with base64. It can be easily decoded by changing eval to print and executing it while redirecting the output to a file. The decoded script is a modified version of Perl Bot v1.0, a known DDoS tool that uses IRC as a command and control server. One change to note - instead of using an IRC nickname of PerlBot it selects a random name from a list of hard-coded names.
The install script is a simple script that clears the shell history, sets the shell to not keep the history (-c), sets all the files to executable, and then runs init,cron, and prchid.
The string 'Blana de urs' is Romanian for 'Bear fur' according to Google Translate.
The init file is a large script that kills off other crypto miners. The top of the file has the following text:
The init script contains the string echo "AM FACUT CURATENIE!" which according to Google Translate is, "I CLEANED UP!" in Romanian.
The prchid file is the binary compiled from prchid.c. It's actually a compiled library .so file that replaces the readdir() library function that excludes the process specified at the top of the source file.
The interesting part of prchid.c is the following line where matching process_to_filter is excluded from the listing.
By excluding the matching process here it will not show up when examining the process list on the infected system using the command line utility 'ps'.
If I add a simple call to fprintf() in the code block above, we can see where the hidden process should have been:
A check of the processes on the infected host now reveals where the malware would have been reported.
cron and cron.d
These two files are scripts that set up cron job entries to ensure persistence after a reboot.
"PORNIT!" translates to "ON!" in Romanian.
This file is the standard configuration to XMRrig. This miner is configured to contribute to a pool located at xmrig.com.
"url": "[redacted]:3333", "user": "44j3JhCPKGVCMhfceDnwFLSHrs86B1vjnLQkWaSmvVxvSKzjVt4ZLqmDQszCr44KbGfto6d36CkReNw4tbDAZWy64EcRdiy", "pass": "x",
gzip compressed data, last modified:
Tue Apr 27 20:17:59 2021, from Unix, original size modulo 2^32 11468800
Tar archive contents
$ tar -tvf 38517d9bb1c2846652f44ae63fd05b64c263760cd4683ab5357
drwxr-xr-x gestoo/gestoo 0 2021-04-27 16:17 .logs/
-rw-r--r-- gestoo/gestoo 0 2021-04-27 15:50 .logs/.out
-rwxr-xr-x gestoo/gestoo 228 2020-01-11 20:42 .logs/SHA256SUMS
-rwxr-xr-x gestoo/gestoo 52218 2021-03-08 07:56 .logs/python.txt
-rwxr-xr-x gestoo/gestoo 10968 2021-03-08 08:16 .logs/init
-rwxr-xr-x gestoo/gestoo 413 2021-04-27 15:46 .logs/cron
-rw-r--r-- gestoo/gestoo 135 2021-04-27 15:50 .logs/cron.d
-rwxr-xr-x gestoo/gestoo 4395944 2020-01-11 20:42 .logs/xmrig-notls
-rw-r--r-- gestoo/gestoo 3487 2021-04-27 16:17 .logs/prchid.c
drwxr-xr-x gestoo/gestoo 0 2021-04-27 15:44 .logs/ /
-rw-r--r-- gestoo/gestoo 10 2021-04-27 15:50 .logs/.procs
-rwxr-xr-x gestoo/gestoo 224 2021-04-27 15:47 .logs/prchid
-rwxr-xr-x gestoo/gestoo 99 2021-04-27 15:49 .logs/install
-rwxr-xr-x gestoo/gestoo 12 2021-04-27 15:50 .logs/dir.dir
-rwxr-xr-x gestoo/gestoo 1851 2021-04-27 15:00 .logs/config.json
-rwxr-xr-x gestoo/gestoo 6989512 2020-01-11 20:42 .logs/sftp-server