In a nutshell:

• backdoored “configure” script → Shell script → Daemon → XMRig

• Watches for these processes and kills the miner if present: top, htop, atop, mate-system-mon, iostat, mpstat, sar, glances, dstat, nmon, vmstat, ps

• Collects information about the hardware (cpuinfo, meminfo, os-release, machine-id, etc.) and about files in the home directory every 12h

• Uploads information to file.io with an expiry date of ten days.

• Shows fake error message about a missing “libnetauth” which does not seem to be a real library

• Installs its own SSH auth key

Our analysis report shows our executable compound sample submission that executes the first two shell script payloads

Threat identifiers

See why we think this is malicious in plain language.

Process map

See the whole path of the sample’s execution

MITRE ATT&CK Matrix

Map the malicious activities on the MITRE ATT&CK Framework

Network connections

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Pre-filtered IOCs

Download the IOCs and artifacts to have a clear picture of the threat.

Files

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Incident
Response

Threat
Hunting