VMRay Labs has found a backdoored build configuration script for httpd designed to drop and run the XMRig malware to mine Monero. ⛏️
⏳ Surprisingly, the script waits until the user has been inactive for at least a minute before starting the crypto-miner.
🔍 It also looks out for resource monitoring tools such as htop, nmon, or iostat, in which case it kills the resource-heavy XMRig process to avoid being caught. To maintain access, the sample adds the attackers’ public key to the “.ssh/authorized_keys” file, allowing them to re-enter into the compromised machine without a password.
Note, the official httpd configuration script from Apache is NOT backdoored – this is about a custom modification by threat actors, likely to distribute their own backdoored httpd source code to their victims.
In a nutshell:
Our analysis report shows our executable compound sample submission that executes the first two shell script payloads
Sample SHA256:
901d7698b77d4a7cd1a7db3ea61bf866dcee77e677761f9d1ba6d193837e5447
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
join VMRay for two powerhouse webinars designed to sharpen your threat detection and response capabilities — featuring a special joint session with Red Canary:
Live session's over. Watch the on-demand video to learn how VMRay and Red Canary combine forces to deliver faster, smarter threat detection!
Learn how to cut phishing triage time with automated detonation and deep analysis — quickly uncover threats while improving response accuracy!
