The Parasite in the Server Room: A Linux Cryptojacking Compromise Story
Threat Overview
Sangfor FarSight Labs recently uncovered a coordinated cryptojacking campaign targeting enterprise Linux infrastructure during a threat-hunting engagement. Although the activity may initially appear to be a routine mining infection, that framing would significantly understate the threat.
The campaign shows characteristics more consistent with an APT-style intrusion than with opportunistic commodity malware. Its operators are not simply abusing CPU resources for short-term gain; the malware suite demonstrates high target orientation, stealth, and persistence within Linux environments.
Organizations should therefore treat this activity as a serious Linux infrastructure compromise, not as a minor cryptomining nuisance. That compromise manifests across four areas: resource abuse, loss of security visibility, destruction of audit evidence, and weaponization of trusted infrastructure.
The Silent Financial Drain
Once inside, the malware aggressively manipulates kernel-level parameters to unlock maximum hardware resource ceilings for mining operations. This results not only in immediate performance degradation and latency for your customer-facing applications but also triggers cloud auto-scaling mechanisms. The next month’s cloud utility bill will surge exponentially, forcing your enterprise to directly bankroll the attacker's illicit profits.
The Ultimate Security Blindspot
This is not a standalone mining script; it is a multi-functional, enterprise-grade backdoor equipped with reverse shells, automated internal scanning, and DDoS capabilities. By altering fundamental system binaries and loading kernel-level Rootkits, it completely blinds your host-based intrusion detection systems (HIDS) and standard administrative tools. The adversary commands your infrastructure while your team sees a flawless dashboard.
Compliance Collapse
Upon initial execution, the virus violently purges core historical and active Linux log systems, including system messages, security audits, and authentication trail. By executing aggressive systemd-journal vacuuming, it eliminates the possibility of retrospective forensic investigations, directly putting the enterprise in violation of cybersecurity regulatory baselines (such as ISO 27001, PCI-DSS, or local data retention laws).
Enterprise Infrastructure Weaponization
The deployment of highly stealthy reverse proxies means attackers are converting your pristine corporate servers into internal network springboards. Your company's infrastructure is effectively turned into an anonymous traffic relay or a launchpad for broader international cyber campaigns, exposing your brand to severe legal liabilities and reputational ruin.
Key Technical Highlights
The captured samples demonstrate an exceptionally mature level of TTPs. Instead of dropping plaintext Bash or Perl scripts that are easily flagged by static signatures, the threat actors utilized advanced open-source compilers to convert script logic directly into compiled, dynamic ELF binaries, hiding their core logic behind real-time execution decryption.
Here is the step-by-step breakdown of the advanced malicious execution chain:
Phase 1: Pre-Compromise Anti-Forensics & Monopolization
When the initial malicious binary executes, its immediate priority is environmental purging.
Eliminating Competitors: It systematically scans for and forces the deletion of pre-existing mining configurations to ensure exclusive domain over the host's raw computing power.
Total Log Wipeout: It initiates an aggressive physical wipe of core log files:
echo "fs.file-max = 2097152" >> /etc/sysctl.conf ulimit -SHn 1024000
This immediately breaks the continuity of SIEM/EDR log aggregation, crippling the incident response timeline.
Phase 2: OS Environment Tuning & Firewall Subversion
To maximize mining efficiency and maintain persistent C2 channels, the malware re-engineers Linux runtime variables.
Kernel & Resource Limits Manipulation: It alters system capacity ceilings by injecting extreme file descriptors directly into system configurations:
echo "fs.file-max = 2097152" >> /etc/sysctl.conf ulimit -SHn 1024000
This custom-tailors the OS environment to support thousands of concurrent proxy connections and mining threads without triggering native OS resource thresholds.
Subverting Administrative Binary Inversions: Anticipating that security teams might rename critical utilities like iptables to block malicious external connections, the malware intelligently reverses this strategy:
mv /usr/sbin/tokens /usr/sbin/iptables
It dynamically flushes active firewall drops to unblock restricted, known malicious C2 IP ranges, allows the C2 handshake to establish, and immediately re-masks the binary back to tokens to preserve its stealth posture.
Phase 3: Kernel-Level Hooking via Rogue Rootkit
The defining differentiator of this campaign is its highly aggressive kernel-level evasive armor. The malware carries inline C source code for an advanced Linux Kernel Module, compiling and inserting it natively on the victim host.
- Deceptive Naming: The rootkit compiles into a module named cloud_monitor, perfectly mimicking a routine cloud vendor monitoring agent.
- Syscall Hijacking via CR0 Write-Protection Bypass: By toggling write-protection registers, the rootkit modifies the kernel's internal system call table. It hooks critical system tracking APIs—specifically getdents and getdents64.
- The "Invisible Process" Illusion: When a system administrator or an automated agent runs ps or inspects /proc, the rootkit intercepts the kernel response mid-stream. If a process PID or filename matches the malware’s cryptographic signature, it is completely omitted from the user-space output. The miner runs with full privileges, yet remains completely invisible to native system verification commands.
Recommended Actions
Check your server according to the following code steps:
# 1. Terminate Bot Process
ps aux | grep httpd | grep -v apache | grep -v nginx | awk '{print $2}' | xargs kill -9
ps aux | grep perl | grep IO::Socket | awk '{print $2}' | xargs kill -9
# 2. Block C2 Communication
iptables -A OUTPUT -d adam.established.site -j DROP
echo "0.0.0.0 adam.established.site" >> /etc/hosts
# 3. Unload Kernel Module
rmmod cloud_monitor
lsmod | grep cloud_monitor
# 4. Restore iptables
mv /usr/sbin/tokens /usr/sbin/iptables
mv /sbin/tokens /sbin/iptables
# 5. Clear Malicious Files
rm -rf /etc/ad12e85f/
rm -f /usr/share/terminfo/w/wy66-qa
# 6. Restore System Configurations
# Check /etc/sysctl.conf and ulimit
# 7. Locate and Stop SS5 Processes
netstat -tlnp | grep <unknown_listen_port>
ss -tlnp
Get a Free "Security Health Check" with the Sangfor Security Evaluator: Prevention is better than cure!
IOCs
We provide IOCs for blocking, but threat actors change them daily. Real security goes beyond blocking known indicators; it relies on advanced threat detection to catch malicious behaviors and prevent future attacks.
URLs
adam.established.site:80
andromeda.covers.de/221/mocks.conf
server.perpetual.pw/syn.c
server.perpetual.pw/50x.c
http://switch.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz
MD5s
05808c4722b06831246b821d1cbb800c
0320b2342100803a8546a2de877c6b3d
cbcd7afaaf22cb64d4f7f9a3c94c7c18
