AT&T's Cybersecurity Branch Breaks Down Crypto Miner Threat to Email Servers

AT&T's Alien Labs is dipping its toes into cryptomining malware analysis with a new technological breakdown of how a monero miner infiltrates networks.

Released Thursday, the report by security researcher Fernando Domínguez provides a step-by-step walkthrough of how one rather low-profile cryptojacker infects and spreads across vulnerable Exim, Confluence and WebLogic servers, installing malicious code that mines monero through a proxy.

Exim servers represent more than half of all email servers, according to ZDNet.

The worm first injects target servers with a BASH script that checks for, and kills, competing mining processes before attempting to infiltrate other known machines in the network.

Crypto-miners often kill off competing miners when they infect a system, and for one very simple reason: The more CPU a different process hogs, the less is left over for others, according to the report.

Breached servers then download the script's payload: an "Omelette" based on the open-source monero miner called XMRig.

It has been retrofitted into MacBook miners, spread across 500,000 computers and, in 2017, became so popular that malicious mining reports spiked over 400 percent.

This modified miner does its business via proxy, according to AT&T Alien Labs.

It had previously been studied by cloud security analysis firm Lacework in July.Researchers don't quite know how widespread this unnamed monero miner is.

Alien Labs' report admits that "It is hard to estimate how much income this campaign has reported to the threat actor," but notes the campaign is "Not very big."