Linux coinminers

Coinminers continued to dominate the Linux threat landscape in 2021.
Pairs With This Song
Take Action


While coinminers affect all operating systems, they made up the majority of the threats we saw on Linux environments in 2021, just as we’ve seen in years prior. As Log4j vulnerabilities consumed the information security news cycle in December 2021, researchers reported adversaries exploiting Log4j to deliver XMRig payloads and other coinminers. Being able to detect and respond to common threats like coinminers will help any blue team detect a wide range of activity—even when it emanates from unknown exploits.

Many of our Linux coinminer detections began with a Secure Shell (SSH) daemon or a web server process. While we often did not know the exact method of initial access, the intrusion chains we observed suggested that many of them began with weak user authentication or exploitation of web applications. After gaining initial access, adversaries usually leveraged system utilities such as curl or wget to download additional utilities like shell scripts and coinmining binaries from external sources.

The shell scripts we identified performed various actions, including host reconnaissance, inhibition of competing miners, defense evasion, and persistence. Two common persistence methods we’ve observed with miner threats like Kinsing and TeamTNT are adding SSH keys to a user’s authorized_keys file and creating scheduled tasks via the crontab command, two relatively easy techniques. A single shell command can be added to a script and establish hooks without much effort on the part of the adversary.

The coinmining binaries that we observed most commonly were XMRig payloads, which were often delivered by adversaries who targeted unpatched endpoints. We observed threats such as Outlaw authenticating via SSH to endpoints, presumably as a result of brute-force attempts, followed by executing shell scripts that initiated XMRig payloads named kswapd0. We also saw z0miner exploiting vulnerabilities in Confluence to deploy XMRig payloads by executing various shell scripts.

Finally, Bird Miner tried to execute XMRig payloads on macOS hosts by using Qemu to emulate a Linux environment. No matter how elaborate their initial access techniques, the commonality between these threats is XMRig payloads. Due to its popularity, XMRig artifacts provide excellent opportunities for detection, including several discussed below.

Compromises involving coinmining have been surprisingly consistent over the last few years, and many of the detection opportunities we have shared previously are still relevant. Focusing on post-exploitation activity should help, regardless of whether the initial access method is a weak SSH password, outdated web application, or exploitation of a vulnerability like Log4Shell.

The best defense against many of the coinminer compromises we observed is patch management. Many of the coinminers we saw exploited flaws in outdated applications like JBoss and WebLogic, so keeping systems updated will deter adversaries who are simply scanning for applications with known vulnerabilities. Strong authentication policies, such as multi-factor authentication (MFA) or locking authentication to just SSH keys, should mitigate techniques like SSH brute forcing.

Here are some additional detection analytics to help identify potential Linux coinminer activity.

Detection opportunities

Bash authorized_keys file modification

This detection analytic will identify instances of Bash processes making file modifications to a user’s authorized_keys file. Kinsing coinmining malware is one Linux threat that uses this technique for persistence.

process == bash
filemod_filepath == '.ssh/authorized_keys'

*Note: There are many shells on Linux endpoints, and this analytic will likely need to be modified to specify the shells that are used within your Linux environment.

Pkill with xmr in command line

This detection analytic will identify processes named pkill that have command-line options containing the string xmr, which may be observed prior to new XMRig processes executing on infected endpoints.

process == pkill
command_line == 'xmr'

Renamed coinminers

This detection analytic will identify processes that have command-line options specific to XMRig and similar miners. While command-line arguments can be brittle, this is a great way to catch “lazy” adversaries who do little to hide their activities.

command_line_includes ('stratum' || '--coin' || '--donate-level' || 'cryptonight' || 'moneropool')
command_line_includes [at least 2 of the following] ('--cpu-priority' || '--max-cpu-usage' || '--algo' || '--url')

Process connecting to known mining pools

This detection analytic will identify non-web browser processes that initiate network connections to known mining pools.

process != ('chrome' || 'firefox' || 'msedge' || 'iexplore' || 'safari')
network _connection_includes == ('supportxmr' || 'xmrpool' || 'xmr.' || 'nanopool' || 'monero.')

*Note: This is a non-exhaustive list of pools and web browsers, which you can add to with additional research. Additionally, this analytic will likely need to be tuned to your specific environment, depending on your use of browsers and business purposes.