Xanthe Cryptomining Botnet Threat Intel Advisory

Published 11 December 2020


  • Cryptomining botnet that targets Linux systems with misconfigured Docker APIs.
  • Multi-modular botnet steals client-side certificates to spread via SSH, infects multiple hosts.

Share this Threat Intel:

Advisory
Malware Intelligence
Target 
Docker/Linux
Type
Xanthe Cryptominer

Xanthe is a cryptomining botnet capable of compromising Docker servers whose API is exposed to the Internet. Xanthe targets Linux systems and is multi-modular. Their functionalities are defined in separate modules, in which the actual payload is a variant of XMRig crypto miner.

The malware can infect multiple hosts by stealing client-side certificates to initiate spreading via Secure Shell (SSH) without the need for credentials. It kills security services and other botnet competitors.

Modules

Modules are in bash scripts which can be executed by the Linux shell. The main module is Xanthe.sh that loads four other modules to do the bidding of the attacker:

  • libprocesshider: Shared object used to hide auxiliary modules and files used by the malware
  • xesa.txt: Security service killer module to kill processes related to anti-malware detection and response
  • java_c Xmrig: Mining payload used by the malware
  • fczyo: Docker competition killer, eliminates bots already present on the server

Listed below are the agent strings used in curl by the malware:

Agent String
Functionality
xanthe-start/<version> Download of killer modules
xanthecheck-$PROC.$MEM Initialization Process
filegetgo/1.5 Download of miner modules
xanthe-running/1.2 Post infection logging
hostcheck/1.5 SSH spreading command line
qi/1.1 Docker spreading command line
fczyo-cron/1.5 Cron scheduled job command line
goteeeem/1.4 Post Docker infection download main module
shell-success/1.4 Post Docker download logging
xesacheck-running/1.4 Post infection check logging
wemusthavegotkilled/1.4 Report miner not running

 

Impact

Technical Impact
  • An exposed Docker API can allow attackers to install custom images on the target infrastructure to bypass security mechanisms and deploy mining malwares.
  • Docker related attacks pose a threat [Docker escaping] to the underlying host system challenging its confidentiality, integrity and availability.
  • Cryptomining is a resource exhaustive task, hence malware consumes most of the computational power of the compromised system for mining-related activities.
  • The entire network is at risk of getting compromised via Docker takeover.
Business Impact
  • Mission critical services, running on the Docker infrastructure are at risk of DoS attacks from the threat actor.
  • Unauthorized resource consumption degrades the quality of service. 
  • It challenges the network and host security.

Mitigations

  • Periodic auditing of docker configuration 
  • Perform Dynamic Threat Analysis to detect anomalies
  • Strict network monitoring (IDPS)
  • Effective XDR/ EDR solutions on hosts

Indicators of Compromise

IP

34[.]92[.]166[.]158

165[.]22[.]48[.]169

138[.]68[.]14[.]52

139[.]162[.]124[.]27

64[.]225[.]46[.]44

Domain

xanthe[.]anondns[.]net

monero[.]gktimer[.]com

pool[.]supportxmr[.]com

Wallet Addresses

47E4c2oGb92V2pzMZAivmNT2MJXVBj4TCJHad4QFs2KRjFhQ44Q81DPAjPCVc1KwoKQEp1YHdRMjGLUe6YdHPx5WEvAha1u+35000

URLs

hxxp://165[.]22[.]48[.]169:8080/adnckil2

hxxp://138[.]68[.]14[.]52:8080/files/adnckil

hxxp://138[.]68[.]14[.]52:8080/files/iqmjlf.jpg

hxxp://iplogger[.]org/10xNq3

hxxps://iplogger[.]org/1Rfhy7

hxxps://iplogger[.]org/1iGce7

hxxps://iplogger[.]org/1mmup7

hxxp://34[.]92[.]166[.]158:8080/files/pop.sh

hxxp://34[.]92[.]166[.]158:8080/files/xesa.txt

hxxp://34[.]92[.]166[.]158:8080/files/fczyo

hxxp://34[.]92[.]166[.]158:8080/files/java_c

hxxp://34[.]92[.]166[.]158:8080/files/config.json

hxxp://34[.]92[.]166[.]158:8080/files/libprocesshider.so

Hashes

43fba1c1d95a300a96a20890a1c768a5218b04516893744cff82097a52a51f7c

6cb730a34e0b3de1e927b1c137e1d1819a1550091c0d35de30f68dfacd554783

b16079a80bdd85cbb72a0fa5c956d43922a7518697eeb8a1638164418820390c

8f7c7f3248ba510ca06cbe62728f06703acedc8e54b3609a069c1090ab957224

6a5a0bcb60944597d61d5311a4590f1850c2ba7fc44bbcde4a81b2dd1effe57c

10e1d73e8a894e5bf07e6779ac8085da09aa445e61072349310158b0276bb28d – config.json

071633c8ea4bac5d6acfe1cdc22b3a3f258d99ee8073dd2611eee9876ae40d64 – xanthe.sh

d4637a2efda1f8a96e7f3e31f2c618ce680d3816ba38f075fbefefec77a10f16 – pop.sh

73bfcf268a8481d55db0da34eaf3094f010ed5c0eb5acaf632d2f97ed7bab036 – fczyo

0e6d37099dd89c7eed44063420bd05a2d7b0865a0f690e12457fbec68f9b67a8 – libprocesshider.so

e1a3ff46a99f4fd93d99b0e61fe4ddef8f894c2a69490d71cb34ab10e4afc0d2 – xesa.txt

30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4 – java_c

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.