AT&T's Cybersecurity Branch Breaks Down Crypto Miner Threat to Email Servers

A new technical analysis from AT&T Alien Labs offers an inside look at how a pernicious form of monero mining malware infiltrates email networks.

AccessTimeIconJan 9, 2020 at 2:00 p.m. UTC
Updated Aug 19, 2021 at 12:10 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

AT&T's Alien Labs is dipping its toes into cryptomining malware analysis with a new technological breakdown of how a monero miner infiltrates networks. 

Released Thursday, the report by security researcher Fernando Domínguez provides a step-by-step walkthrough of how one rather low-profile cryptojacker infects and spreads across vulnerable Exim, Confluence and WebLogic servers, installing malicious code that mines monero through a proxy.  Exim servers represent more than half of all email servers, according to ZDNet

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • The worm first injects target servers with a BASH script that checks for, and kills, competing mining processes before attempting to infiltrate other known machines in the network. Crypto-miners often kill off competing miners when they infect a system, and for one very simple reason: The more CPU a different process hogs, the less is left over for others, according to the report.

    Breached servers then download the script’s payload: an “omelette” (as the downloaded executable file variable is termed) based on the open-source monero miner called XMRig.  

    Available on GitHub, XMRig is a malware hacker favorite and a common building block in cryptojackers’ arsenal. It has been retrofitted into MacBook miners, spread across 500,000 computers and, in 2017, became so popular that malicious mining reports spiked over 400 percent.

    This modified miner does its business via proxy, according to AT&T Alien Labs. That makes tracing the funds, or even discerning the wallet address, nearly impossible without proxy server access. 

    Frying this omelette is hard. When it downloads, another file called “sesame” – identical to the original BASH script – downloads as well. This is the key to the worm’s persistency: it hitches onto a cron job with a five-minute interval, enabling it to withstand kill attempts and system shutdowns. It can even automatically update with new versions. 

    AT&T Alien Labs began following the worm in June 2019. It had previously been studied by cloud security analysis firm Lacework in July. 

    Researchers don’t quite know how widespread this unnamed monero miner is. Alien Labs’ report admits that “it is hard to estimate how much income this campaign has reported to the threat actor,” but notes the campaign is “not very big.”

    Nonetheless, it serves as a reminder to all server operators: Always keep your software patched and up to date.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.



    Read more about