The operator of a new cryptomining campaign takes aggressive actions against its competition and halts other cryptojacking activity on the machines it claims.
Cybercriminals are quick to take advantage of any proof-of-concept (PoC) exploit code that falls into their hands. For the recently disclosed Apache Struts vulnerability (CVE-2018-11776) there are multiple PoCs available, so news of the bug exploited in the wild came as no surprise.
Cryptomining is all the rage these days, and the Struts exploits have been adopted quickly by multiple actors.
With growing competition for the victim's CPU cycles, one attacker decided to force rival operations out of the machine.
A report from F5 Labs describes a new cryptomining campaign that targets Linux systems and identifies the processes of other cryptominers on the machine with the purpose of terminating them.
The researchers named this campaign CroniX, a moniker that derives from the malware's use of Cron to achieve persistence and Xhide to launch executables with fake process names.
The cryptocurrency minted on victim's computers is Monero (XMR), the coin of choice in cryptojacking activities.
To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system.
Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.
"This is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system," F5 speculates.
"The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file," the report explains.
Although F5 Labs observed this campaign targeting Linux systems with Apache Struts, the researchers discovered evidence that an operation aimed at Windows machines is currently underway.
CroniX is just the latest cryptomining campaign leveraging the CVE-2018-11776 vulnerability. The first one taking advantage of the public PoCs was reported last week.