GitHub, Netlify deliver Vulnerabilities Exploited for Monero Mining Malware

December 9, 2021

Analysts observed the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account.

The batch script is renamed as a temporary file and deleted after it starts running in the background.

Windows Infection Process

The scripts are a modified version of Monero-mining helper scripts abridged from GitHub. These scripts begin by checking if the current session has administrative privileges.

Checking Administrative Privileges

If the privilege level is Administrator, then the ADMIN flags are set.
The length of the Monero wallet address is calculated.
If the length is not 106 or 95 characters, the script exits.
If it is 106 or 95, execution jumps to the WALLET_LEN_OK statement.

System Enumeration and CPU Evaluation

The script further conducts a series of checks in the system, such as:

Checking if the USERPROFILE environment variable is defined.
Verifying the availability of utilities like wmic, powershell, find, findstr, and tasklist.

The wmic utility is used to gather system parameters, including:

Number of processors
Maximum clock speed
L2 and L3 cache sizes
CPU sockets

These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool.

Malware Installation and Execution

1. Removal of Existing Miner: The running c3pool_miner is removed from the host.

2. Download of Monero Miner:

The zipped miner (c3.zip) is downloaded from an attacker-controlled GitHub repository.
PowerShell is used to unzip the file.
If the unzip attempt fails, 7z is downloaded to extract the file.

3. Installation of XMRig:

The latest version of XMRig for Windows is downloaded from the official repository.
After unzipping, the 7z binary and XMRig ZIP files are removed.

Persistence and Execution

The configuration files are modified using PowerShell.
If the miner (c3.exe) is already running, execution jumps to an ALREADY_RUNNING label.
If not, the miner is executed using the start command in the IDLE priority class.
If the current user has administrative privileges, execution jumps to the ADMIN_MINER_SETUP label.
If not, persistence is established by modifying the Startup directory with batch scripts to execute c3pool XMR miner with the configuration file.

Service Creation

A service is created from c3cache_worker using the Non-Sucking Service Manager (NSSM).

NSSM is a service helper program that helps install applications as services.
It allows logging to user-defined files.

Linux Infection Process

Initial Cleanup and Process Monitoring

The shell script starts with an infinite loop to remove competing cryptominers found in the infected system, such as:
- kinsing
- kdevtmpfsi
- pty86
- .javae
After removing competing miners, the attribute of /var/spool/cron/root is set to immutable, and crontab is reloaded.
If any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux use more than 60% of CPU, they are terminated.
A function func1 (redacted) is called, and the loop repeats every 30 seconds.

Use of GitHub and Netlify for File Delivery

Analysts observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER:

GitHub
Netlify

Function `func1` and Monero Mining Execution

The process java.xnk is checked for CPU usage.
If CPU usage is ≥ 60%, the process ID (PID) is stored in a variable p.
If p is empty, the process is killed.

Creation of Malware Storage Directories

The script then creates three directories:

/var/tmp/java.xnk
/var/lock/java.xnk
/tmp/java.xnk

Monero Miner Installation

The script checks different paths for wget and curl binaries and assigns them to the variable Wget.
It checks for the presence of java.xnk.bionic in $DIR.

If the file does not exist:

The script uses the valid Wget command to download and copy:
- bionic (Monero miner)
- config.json (containing the Monero wallet address)
Executable permissions are assigned to the binary, and it is executed using nohup.