- The malware infects web servers and maximizes CPU usage while mining cryptocurrency.
- It uses cron commands to maintain persistence on the system even if all the malicious files and processes are removed.
A cryptomining malware was spotted by security researchers that leveraged cron scheduler. Researchers from the security firm Sucuri analyzed a Bash script linked with the malware, which downloaded its payload and configuration files into the system.
It was found that this script terminated other cryptomining processes in the infected system before running its own and used cron commands for evading detection, and reinfection.
How does it work?
- The malware infects web server and starts running cryptomining processes that maximize the CPU usage.
- The malicious payload is downloaded by a Bash script named ‘cr2.sh’.
- This script killed any process associated with cryptomining including those of xmrig, cryptonight among others. It also performs many operations such as identifying the OS environment (32/64 bit) to download the appropriate payload.
- The script downloads a configuration file and a cryptominer payload.
- In the case of detection, cron commands are executed for killing the script and for redownloading it again. This way, the malware establishes persistence in the system without being detected easily.