Researchers have uncovered a malware bot that infects Linux-based servers and connected devices with a cryptominer that appears to transfer funds to the operators of a Chinese money-making scam website.
According to a June 26 blog post from Trend Micro, the bot is associated with an IP address that is set to search for ports pertaining to the Secure Shell (SSH) protocol and Internet of Things (IoT) devices. However, in the observed attack, the bot focused devices communicating with SSH-based port 22 -- specifically those with an open and exploitable Remote Desktop Protocol (RDP) port.
Upon discovering a vulnerable device, the bot runs a wget command to download the script "mservice_2_5.sh" from a malicious website to a directory that install the cryptojacking malware. The domain name of this website, written in transliterated Chinese, translates to "earn money all the way," blog post authors and researchers Jindrich Karasek and Loseway Lu explain.
Trend Micro has identified the domain as a financial scam site to which Monero and Ethereum coins are funneled by the cryptominer, named YiluzhuanqianSerd. Users are tricked into installing the miner via social engineering tactics, the report continues.
"The attackers here appear to go the extra mile to cover up a mining operation with a seemingly run-of-the-mill scam site," write Karasek and Lu. "Even so, the adverse effect remains: Surreptitiously mining for cryptocurrency on users' devices consumes considerable amounts of electricity and exhausts computing power."
Although the Chinese website looks innocent enough at first glance, it actually contains a blog and video tutorial page detailing the malicious mining operation. And even if its link were to be blocked, "the attacker can just switch to another domain to continue operations without losing the potential scam site itself," the blog post explains.
Trend Micro further notes that before downloading the miner, the malicious bot contains a basic persistence mechanism added in its installer script, and configures Linux devices in such a way to enhance their computational power, thereby increasing mining hauls.
"Using botnets is perhaps one of the most prevalent ways for attackers looking into abusing the IoT for their own gain," the blog post states. "A single compromised device may not be powerful enough, but when the malware is spread in a bot-enabled fashion, an army of mining zombies might just prove lucrative down the road."