Report: Malware attacks on Linux servers to run cryptocurrency miners. A real case analysis.


In February 2018, we started investigating a security breach in one of our partner organisations. The analysis lead us to discover a long pattern of attacks against several web servers in the same organisation. The final goal of the attacks: exploiting the computational power of the servers to mine cryptocurrency. 

In this report we will walk you through our analysis from beginning to end: how the analysis started, the type of logs we analysed, finding how the servers were exploited and finally our hunt for similar attacks in other servers of this organisation and attacks by the same actors reported by the community.

The general outline of the report is as follows:

  • Executive Summary
  • Discovery and Vulnerability
  • Forensic Analysis
  • Infrastructure of the Attack
  • Timeline of the Attack on Nora
  • Indicators of Compromise
  • Response from the Community and Countermeasures
  • Related Attacks and Educational Environments
  • Conclusions 
  • References
  • Appendix A: Information on malware sample
  • Appendix B: YARA rules for miner detections

About CivilSphere

CivilSphere is a project born in the Czech Technical University (CTU) in Prague. The project is a spin off of the Stratosphere IPS laboratory, and it's dedicated to provide simple solutions for journalists, activists, and NGOs for detecting attacks in their devices using our network behavioural Intrusion Detection and Prevention System. We believe we can make a difference by putting our knowledge at service of those who need it the most and cannot afford complex and expensive solutions.