Cryptomining Botnet z0Miner

A crypto mining botnet spotted in the previous year is currently targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.

z0Miner is a malicious mining family that spotted active by Tencent Security Team. When z0Miner was initially active, it used Weblogic’s unauthorized command execution vulnerability to spread.

In recent times, the Anglerfish honeypot system of 360 Network Security Research Institute has detected that z0Miner has used ElasticSearch and Jenkins remote command execution vulnerabilities to spread widely. The recent active trends are as follows:

Vulnerability Exploitation

According to a report published by researchers at 360Netlab, z0Miner is now probing for servers unpatched against vulnerabilities addressed in 2015 and earlier.

z0Miner became active last year and was spotted by the Tencent Security Team while exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020- 14883 to spread to other devices.

According to Tencent Security Team estimations, the threat actor controlling z0Miner compromised and quickly took over 5,000 servers.

The attackers scan cloud servers in batches to discover unpatched Weblogic servers and compromised them by sending out “carefully constructed data packets” to make use of the susceptible gadgets.

After jeopardizing a server, the malware will initially download a destructive shell script, begins searching for and eliminating formerly released cryptominers.

Subsequently, it establishes a brand-new corn entry to occasionally get and carry out harmful scripts from Pastebin. The next phase of the infection circulation includes downloading a mining package including an XMRig miner script, a config file, a starter script, and beginning to mine cryptocurrency in the background.

After compromise, z0Miner used a similar attack logic as the one observed by 360 Netlab researchers, gaining persistence via crontab and starting to mine for Monero. The z0Miner sample found by Tencent Security Team in November 2020 was also spreading laterally on the network of already compromised devices via SSH.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Lemon Duck Cryptocurrency Mining Malware Attacking Government, Retail, and Technology Sectors

Silence Hacking Group Threatens Australian Banks of DoS Attacks if Ransom Not Paid

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.