XMRig | |
Type of Malware | Cryptominer |
Country of Origin | Global |
Date of initial activity | January 2024 |
Targeted Countries | China, Hong Kong, Netherlands, Japan, USA, Germany, South Africa, Sweden |
Associated Groups | Log4j Campaign, Lazarus, APT28, APT35, DEV-0401 |
Motivation | Financial gain |
Attack Vectors | Exploiting Log4j vulnerability (CVE-2021-44228), Base64 encoded commands |
Targeted Systems | Linux, Windows |
Tools | Ghostengine |
Overview
XMRig is a widely recognized cryptominer malware primarily designed to mine Monero (XMR), a popular cryptocurrency known for its emphasis on privacy and anonymity. Since its emergence, XMRig has gained notoriety for its efficiency in covertly utilizing the computational resources of infected machines to mine cryptocurrency, often without the consent of the users. The malware’s operational mechanisms make it a significant threat to both individual users and organizations, as it can severely impact system performance and lead to increased operational costs.
XMRig malware is typically distributed through various infection vectors, including malicious email attachments, compromised software downloads, and exploit kits. Once installed on a victim’s system, XMRig operates by leveraging the system’s processing power to perform complex cryptographic calculations required for mining Monero. The malware’s design allows it to run discreetly in the background, utilizing the system’s CPU resources to maximize mining efficiency while minimizing detection. Its stealthy nature is further enhanced by its ability to avoid detection by traditional antivirus solutions, making it a persistent threat.
Targets
Vulnerable servers using Log4j.
How they operate
Initially, XMRig may be distributed through various channels, such as malicious email attachments, compromised software downloads, or exploit kits. Once the malware reaches a target system, it executes by exploiting vulnerabilities or relying on user actions, such as opening a malicious file or visiting a compromised website. XMRig is typically delivered in a form that is disguised to avoid detection, such as being embedded within seemingly legitimate software or using techniques to hide its true nature.
Upon execution, XMRig establishes a foothold on the infected machine through various persistence mechanisms. It modifies system startup routines, such as creating registry keys or placing files in startup folders, to ensure it runs automatically when the system boots up. In some cases, it may also leverage techniques like task scheduling or system service manipulation to maintain its presence across reboots.
The malware’s core functionality is to mine cryptocurrency using the computational resources of the infected system. XMRig utilizes the CPU or GPU power of the victim’s machine to perform complex cryptographic calculations required for mining Monero. It operates by connecting to a command-and-control (C2) server to receive mining configurations and updates. This C2 communication is often encrypted to evade detection by security solutions.
To evade detection and maintain stealth, XMRig employs several defense evasion techniques. It may obfuscate its code, use rootkit functionalities to hide its processes and files, or disable security features to prevent interference. The malware also employs anti-analysis techniques to make reverse engineering and detection more difficult, such as packing or encrypting its payload and dynamically loading components.
MITRE Tactics and Techniques
Initial Access (T1071): XMRig often gains initial access through malicious software distribution methods, such as exploit kits or drive-by downloads.
Execution (T1203): The malware executes on the victim’s system by leveraging vulnerabilities in software or by being executed through user interaction, such as opening a malicious email attachment or downloading a trojanized application.
Persistence (T1547): To ensure that it continues running after reboots or system changes, XMRig may use persistence techniques like modifying startup folders or creating registry keys.
Privilege Escalation (T1068): In some cases, XMRig may attempt to elevate its privileges to gain access to more system resources and increase mining efficiency. This could involve exploiting vulnerabilities or misconfigurations.
Defense Evasion (T1070): The malware employs various techniques to avoid detection, including obfuscation of its code, disabling security features, or hiding its processes from system monitoring tools.
Command and Control (T1071): XMRig communicates with command and control servers to receive updates and configuration changes. This communication is typically encrypted to evade detection.
Exfiltration (T1041): Although not a primary function, XMRig may occasionally exfiltrate data related to its mining activity or operational status back to the C2 server.
Impact (T1496): The primary impact of XMRig is financial, as it leverages the infected systems’ resources for cryptocurrency mining, potentially causing performance degradation and increased electricity consumption.
Impact / Significant Attacks
The impact of XMRig on infected systems is primarily financial, as it exploits system resources to mine cryptocurrency without the victim’s consent. This can lead to significant performance degradation, increased power consumption, and potential hardware damage due to the continuous high-load operations. In addition to its mining activities, XMRig may occasionally exfiltrate data related to its operational status back to its C2 server, but its primary goal remains the unauthorized use of system resources for profit.
