Severity

High

Analysis Summary

An active cryptomining worm attack installing a cryptominer. These attacks appear to be targeting vulnerable Exim, Confluence, and WebLogic servers. After the system is compromised, a deployment BASH script is downloaded and executed. If the system is already infected, the script terminates the mining processes. It then checks the known_hosts file for other potential hosts to infect. Next it downloads an ELF binary named “omelette” and another BASH script called “sesame”. Downloading takes place through wget, curl, python2/3, or php, whichever is available on the infected system. Infection can take place on x86, x86-64, and AArch64 architectures and appropriate binaries are available for each. A cron job that runs sesame every five minutes provides persistence. If the system utilizes systemd, a service called “cloud-agent” is created as well. The miner deployed is a modified version of an open-source XMRig Monero miner.

Impact

• Theft of Cryptocurrency
• Network-wide infection 
• Financial loss

Indicators of Compromise

IP

• 51[.]15[.]56[.]161
• 51[.]38[.]133[.]232

MD5

• 21a9cac30458fb4dbf190df3edea965a
• b120c895e8e78102b1ee1904ace11899
• c6f69418ed39df7557a3d4c07793a923

SHA-256

• 716042b8e32cfb364b04c4e068a37a8e60c928e4fd32c894282c5d658c138684
• e2964214fdbfb51d5b33944cc9ca05821518a4bad01f750cee8f0d00f68a6176
• f00258815853f767d70897db7263f740b161c39ee50c46c26ab247afb824459a

SHA1

• 84a8a72ba58851c2810204f0ec444fec0ab7f895
• 2bd781029bd373f45ff0965c81c543d15014d2eb
• 81815d6a730a891d377d4f128ca3d66379bb76c8

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Keep all software updated to latest patched versions against known security vulnerabilities.