1.Overview

Recently, Antiy CERT detected a mining Trojan attack incident. This mining Trojan first appeared in March 2024 and has continuously updated its attack scripts. The typical feature of this mining Trojan is to download the corresponding mining program based on the operating system type, check if the system environment has tools such as curl, Python, and Perl, and if so, use these tools to download the mining program. If not, it will perform download adaptation and dynamically adjust the running parameters according to the CPU computing power. It will not saturate the CPU resources and avoid being detected and discovered by users due to excessive resource consumption. The mining Trojan is named “app Miner” because the string “app” appears multiple times in its script.

After verification, Antiy IEP can effectively detect and eliminate this mining Trojan.

2.Attack process

The app Miner mining Trojan will first perform functions in a series of functional modules. For example, the hash rate of Monero mining is estimated according to the number of CPU threads, the running parameters are dynamically adjusted according to the CPU calculation force, and a directory with sufficient space for placing mining Trojan is searched through a designated directory, Generate a formatted file name based on the operating system type and architecture of the affected host to find the competitive mining process running in the infected system, and so on. After that, the mining program will be downloaded from the specified URL, and the mining configuration file will be set for mining. The Trojan has many functions, but the default state script does not open these functions or to be developed, mainly including the planned task function, the service function, the process check function and so on.

Figure 2-1 Attack flowchart  

3.Analysis of Script Functions

Estimate the hash rate of Monero mining based on the number of CPU threads, and then dynamically calculate and select a port number based on this hash rate. This port number is used to configure a mining program to select the appropriate port for communication. Such a design may be intended to select suitable settings based on the different performance of different machines when running on different machines.

Figure 3-1 Estimating hash rates for Monero excavations ‑ 

Call mathlib calculation results according to the specified formula based on 70% of the CPU cores. For example, for a 16 core CPU, this result is 4096. By controlling the number of threads, the CPU’s resources are not saturated.

Figure 3-2 Dynamic adjustment of CPU power  

Traverse a series of directories (e.g., $HOME, $PWD, / var / tmp, / dev / shm, / var / run, / tmp), try to find a writable directory in these directories, and check that there is enough free space.

Figure 3-3 Traverse the specified directory and check the available space size of the directory

Generates a formatted file name based on the operating system type, the architecture, and whether compression and encryption are required. This feature is typically used to generate platform-specific and configured executable files or package names for identification and use in different environments.

Figure 3-4 Format File Name ‑ 

Find the running competitive mining process in the system, support precise matching and pattern matching. It selects the best way to search according to the tools available on the system (such as pgrep, ps, pidof), and when these tools are not available, it searches through the / proc file system manually, and when the mining process of the competitive products is found, Use pkill, killall, kill, and other commands to end the process.

Figure 3-5 Looking for a running competitive excavation process  

Authority to change the list of landings for mining procedures.

Figure 3-6 Authority for changing the table of contents of the mining program  

The mining program is downloaded from the specified URL, and the download operation is based on the tools on the victim’s machine. For example, wget, curl, perl, Python 2. x, and Python 3. x.

Figure 3-7 Download the mining program ‑ 

Set the mining configuration file, and the address of the mining pool is 207.180.217.230: 80.

Figure 3-8 Set up the excavation profile ‑ 

4.ATT&CK Mapping Map of Event

For the complete process of the attacker dropping the mining Trojan, the ATT&CK mapping map corresponding to this attack event is shown in Figure 4-1.

Figure 4-1 The ATT&CK mapping diagram corresponding to the event 

The technology points used by the attacker are shown in Table 41. ‑

Table 4-1 Description of ATT&CK technical behavior corresponding to the event 

ATT&CK stages / categories	Specific behavior	Notes
Execution	Using command and script interpreters	Use the bash script command
Persistence	Use of external remote services	Create Services
	Utilization of planned tasks / jobs	Create a scheduled task
Right to Submission	Abuse of enhanced control authority mechanism	Modify file permissions
Defensive evasion	Modify file and directory permissions	Modify file permissions and directory permissions
Findings	Discovery of system information	Find information such as system architecture
Impact	Resource hijacking	Occupying CPU resources

5.Recommendations for protection

For mining attack, Antiy suggests the following protective measures for the enterprise:

1. Install terminal protection: Install anti-virus software, and for different platforms, it is recommended to install Windows / Linux versions of Antiy IEP;
2. Strengthen the strength of SSH passwords: Avoid using weak passwords, and recommend using 16-digit or longer passwords, including combinations of upper and lower case letters, numbers and symbols, and avoid using the same password for multiple servers;
3. Update patches in time: It is suggested to activate the automatic update function to install system patches, and the server shall update the system patches in time;
4. Update third-party application patches in time: It is recommended to update application patches of third-party applications such as Redis in time;
5. Enable log: Enable the key log collection function (security log, system log, error log, access log, transmission log and cookie log) to provide a foundation for the tracing of security events;
6. Host reinforcement: Conduct penetration test and security reinforcement for the system;
7. Deployment of Intrusion Detection System (IDS): Deployment of traffic monitoring software or equipment to facilitate the discovery, tracing of malware. Taking network traffic as the detection and analysis object, Antiy PTD can accurately detect a mass of known malware and network attack activities, and effectively detect suspicious behaviors, assets and various unknown threats on the network;
8. Antiy service: In case of malware attack, it is suggested to isolate the attacked host in time, and protect the site and wait for the security engineer to check the computer; Antiy 7 * 24 service hotline: 400-840-9234.

It is suggested that enterprise users deploy professional terminal security protection products, conduct real-time detection of local new and start-up files, and perform periodic virus scanning in the network. The terminal security products of Antiy IEP relying on Antiy’s self-research threat detection engine and core-level active defense capability, can effectively detect and kill the virus samples found this time.

Antiy IEP client detects the execution behavior of the local script in real time through the active defense capability, detects the threat of the execution script, and can automatically intercept and send a risk alarm to the user once the start script is found to be a malicious file, ensuring the security of the terminal environment.

Figure 5-1 When running malicious scripts, IEP successfully intercepted them.

IEP also provides a unified management platform for users, through which administrators can view details of threats within the network in a centralized manner and handle them in batches, thus improving the efficiency of terminal security operation and maintenance.

Figure 5-2 Through IEP Management Center, security incidents can be uniformly managed and handled. 

6.IoCs

IoCs

157.230.106 [.] 100

111.48.208 [.] 225

207.180.217 [.] 230

185.213.26 [.] 27

199b790d05724170f3e6583500799db1

C0ed4f906576c06d861302e8cf924309

Appendix: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.