Home
Threat Intelligence Posts
Vulnerability Intelligence

Xanthe Cryptomining Botnet Threat Intel Advisory

CloudSEK threat intelligence advisory on Xanthe cryptomining botnet that targets Linux systems, compromises misconfigured Docker server APIs.
Updated on
April 19, 2023
Published on
December 11, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
 Malware Intelligence
Target 
 Docker/Linux
Type
 Xanthe Cryptominer
Xanthe is a cryptomining botnet capable of compromising Docker servers whose API is exposed to the Internet. Xanthe targets Linux systems and is multi-modular. Their functionalities are defined in separate modules, in which the actual payload is a variant of XMRig crypto miner. The malware can infect multiple hosts by stealing client-side certificates to initiate spreading via Secure Shell (SSH) without the need for credentials. It kills security services and other botnet competitors.

Modules

Modules are in bash scripts which can be executed by the Linux shell. The main module is Xanthe.sh that loads four other modules to do the bidding of the attacker:
  • libprocesshider: Shared object used to hide auxiliary modules and files used by the malware
  • xesa.txt: Security service killer module to kill processes related to anti-malware detection and response
  • java_c Xmrig: Mining payload used by the malware
  • fczyo: Docker competition killer, eliminates bots already present on the server
Listed below are the agent strings used in curl by the malware:
Agent String
Functionality
xanthe-start/<version> Download of killer modules
xanthecheck-$PROC.$MEM Initialization Process
filegetgo/1.5 Download of miner modules
xanthe-running/1.2 Post infection logging
hostcheck/1.5 SSH spreading command line
qi/1.1 Docker spreading command line
fczyo-cron/1.5 Cron scheduled job command line
goteeeem/1.4 Post Docker infection download main module
shell-success/1.4 Post Docker download logging
xesacheck-running/1.4 Post infection check logging
wemusthavegotkilled/1.4 Report miner not running
 

Impact

Technical Impact
  • An exposed Docker API can allow attackers to install custom images on the target infrastructure to bypass security mechanisms and deploy mining malwares.
  • Docker related attacks pose a threat [Docker escaping] to the underlying host system challenging its confidentiality, integrity and availability.
  • Cryptomining is a resource exhaustive task, hence malware consumes most of the computational power of the compromised system for mining-related activities.
  • The entire network is at risk of getting compromised via Docker takeover.
Business Impact
  • Mission critical services, running on the Docker infrastructure are at risk of DoS attacks from the threat actor.
  • Unauthorized resource consumption degrades the quality of service. 
  • It challenges the network and host security.

Mitigations

  • Periodic auditing of docker configuration 
  • Perform Dynamic Threat Analysis to detect anomalies
  • Strict network monitoring (IDPS)
  • Effective XDR/ EDR solutions on hosts

Indicators of Compromise

IP
34[.]92[.]166[.]158 165[.]22[.]48[.]169 138[.]68[.]14[.]52 139[.]162[.]124[.]27 64[.]225[.]46[.]44
Domain
xanthe[.]anondns[.]net monero[.]gktimer[.]com pool[.]supportxmr[.]com
Wallet Addresses
47E4c2oGb92V2pzMZAivmNT2MJXVBj4TCJHad4QFs2KRjFhQ44Q81DPAjPCVc1KwoKQEp1YHdRMjGLUe6YdHPx5WEvAha1u+35000
URLs
hxxp://165[.]22[.]48[.]169:8080/adnckil2 hxxp://138[.]68[.]14[.]52:8080/files/adnckil hxxp://138[.]68[.]14[.]52:8080/files/iqmjlf.jpg hxxp://iplogger[.]org/10xNq3 hxxps://iplogger[.]org/1Rfhy7 hxxps://iplogger[.]org/1iGce7 hxxps://iplogger[.]org/1mmup7 hxxp://34[.]92[.]166[.]158:8080/files/pop.sh hxxp://34[.]92[.]166[.]158:8080/files/xesa.txt hxxp://34[.]92[.]166[.]158:8080/files/fczyo hxxp://34[.]92[.]166[.]158:8080/files/java_c hxxp://34[.]92[.]166[.]158:8080/files/config.json hxxp://34[.]92[.]166[.]158:8080/files/libprocesshider.so
Hashes
43fba1c1d95a300a96a20890a1c768a5218b04516893744cff82097a52a51f7c 6cb730a34e0b3de1e927b1c137e1d1819a1550091c0d35de30f68dfacd554783 b16079a80bdd85cbb72a0fa5c956d43922a7518697eeb8a1638164418820390c 8f7c7f3248ba510ca06cbe62728f06703acedc8e54b3609a069c1090ab957224 6a5a0bcb60944597d61d5311a4590f1850c2ba7fc44bbcde4a81b2dd1effe57c 10e1d73e8a894e5bf07e6779ac8085da09aa445e61072349310158b0276bb28d - config.json 071633c8ea4bac5d6acfe1cdc22b3a3f258d99ee8073dd2611eee9876ae40d64 - xanthe.sh d4637a2efda1f8a96e7f3e31f2c618ce680d3816ba38f075fbefefec77a10f16 - pop.sh 73bfcf268a8481d55db0da34eaf3094f010ed5c0eb5acaf632d2f97ed7bab036 - fczyo 0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8 - libprocesshider.so e1a3ff46a99f4fd93d99b0e61fe4ddef8f894c2a69490d71cb34ab10e4afc0d2 - xesa.txt 30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4 - java_c
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more