PUA.Linux.XMRig.G

January 07, 2025
 Analysis by: Neljorn Nathaniel Aguas
 ALIASES:

a variant of Linux/CoinMiner.AV potentially unwanted application (NOD32)

 PLATFORM:

Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  TECHNICAL DETAILS

File Size:

8,297,712 bytes

File Type:

ELF

Initial Samples Received Date:

06 Dec 2024

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Potentially Unwanted Application does the following:

  • It requires one of the following files to proceed with its intended routine:
    • {Grayware Path}/config.json
    • /home/{Username}/.xmrig.json
    • /home/{Username}/.config/xmrig.json
  • It uses the following version of XMRig:
    • XMRig 6.22.2

It accepts the following parameters:

  • Network:
    • -o, --url=URL → URL of mining server
    • -a, --algo=ALGO → mining algorithm
    • -u, --user=USERNAME → username for mining server
    • -p, --pass=PASSWORD → password for mining server
    • -O, --userpass=U:P → username:password pair for mining server
    • -x, --proxy=HOST:PORT → connect through a SOCKS5 proxy
    • -k, --keepalive → send keepalived packet for prevent timeout (needs pool support)
    • -r, --retries=N → number of times to retry before switch to backup server (default: 5)
    • -R, --retry-pause=N → time to pause between retries (default: 5)
    • --coin=COIN → specify coin instead of algorithm
    • --nicehash → enable nicehash.com support
    • --rig-id=ID → rig identifier for pool-side statistics (needs pool support)
    • --tls → enable SSL/TLS support (needs pool support)
    • --tls-fingerprint=HEX → pool TLS certificate fingerprint for strict certificate pinning
    • --dns-ipv6 → prefer IPv6 records from DNS responses
    • --dns-ttl=N → N seconds (default: 30) TTL for internal DNS cache
    • --daemon → use daemon RPC instead of pool for solo mining
    • --daemon-zmq-port=N → daemon's zmq-pub port number (only use it if daemon has it enabled)
    • --daemon-poll-interval=N → daemon poll interval in milliseconds (default: 1000)
    • --daemon-job-timeout=N → daemon job timeout in milliseconds (default: 15000)
    • --self-select=URL → self-select block templates from URL
    • --submit-to-origin → also submit solution back to self-select URL
    • --user-agent → set custom user-agent string for pool
    • --donate-level=N → donate level, default 1%% (1 minute in 100 minutes)
    • --donate-over-proxy=N → control donate over xmrig-proxy feature

  • CPU Backend:
    • --no-cpu → disable CPU mining backend
    • --cpu-affinity=N → set process affinity to CPU core(s), mask 0x3 for cores 0 and 1
    • --cpu-priority=N → set process priority (0 idle, 2 normal to 5 highest)
    • --cpu-max-threads-hint=N → maximum CPU threads count (in percentage) hint for autoconfig
    • --cpu-memory-pool=N → number of 2 MB pages for persistent memory pool, -1 (auto), 0 (disable)
    • --cpu-no-yield → prefer maximum hashrate rather than system response/stability
    • --no-huge-pages → disable huge pages support
    • --huge-pages-jit → enable huge pages support for RandomX JIT code
    • --asm=ASM → ASM optimizations, possible values: auto, none,intel, ryzen, bulldozer
    • --argon2-impl=IMPL → argon2 implementation: x86_64, SSE2, SSSE3, XOP, AVX2, AVX-512F
    • --randomx-init=N → threads count to initialize RandomX dataset
    • --randomx-no-numa → disable NUMA support for RandomX
    • --randomx-mode=MODE → RandomX mode: auto, fast, light
    • --randomx-1gb-pages → use 1GB hugepages for RandomX dataset (Linux only)
    • --randomx-wrmsr=N → write custom value(s) to MSR registers or disable MSR mod (-1)
    • --randomx-no-rdmsr → disable reverting initial MSR values on exit
    • --randomx-cache-qos → enable Cache QoS
    • -t, --threads=N → number of CPU threads, proper CPU affinity required for some optimizations.
    • -v, --av=N → algorithm variation, 0 auto select

  • API:
    • --api-worker-id=ID → custom worker-id for API
    • --api-id=ID → custom instance ID for API
    • --http-host=HOST → bind host for HTTP API (default: 127.0.0.1)
    • --http-port=N → bind port for HTTP API
    • --http-access-token=T → access token for HTTP API
    • --http-no-restricted → enable full remote access to HTTP API (only if access token set)

  • TLS:
    • --tls-gen=HOSTNAME → generate TLS certificate for specific hostname
    • --tls-cert=FILE → load TLS certificate chain from a file in the PEM format
    • --tls-cert-key=FILE → load TLS certificate private key from a file in the PEM format
    • --tls-dhparam=FILE → load DH parameters for DHE ciphers from a file in the PEM format
    • --tls-protocols=N → enable specified TLS protocols, example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
    • --tls-ciphers=S → set list of available ciphers (TLSv1.2 and below)
    • --tls-ciphersuites=S → set list of available TLSv1.3 ciphersuites

  • Logging:
    • -l, --log-file=FILE → log all output to a file
    • -S, --syslog → use system log for output messages
    • --print-time=N → print hashrate report every N seconds
    • --no-color → disable colored output
    • --verbose → verbose output

  • Misc:
    • -c, --config=FILE → load a JSON-format configuration file
    • -B, --background → run the miner in the background
    • -V, --version → output version information and exit
    • -h, --help → display this help and exit
    • --dry-run → test configuration and exit
    • --export-topology → export hwloc topology to a XML file and exit
    • --title → set custom console window title
    • --no-title → disable setting console window title
    • --pause-on-battery → pause mine on battery power
    • --pause-on-active=N → pause mine when the user is active (resume after N seconds of last activity)
    • --stress → run continuous stress test to check system stability
    • --bench=N → run benchmark, N can be between 1M and 10M
    • --submit → perform an online benchmark and submit result for sharing
    • --verify=ID → verify submitted benchmark by ID
    • --seed=SEED → custom RandomX seed for benchmark
    • --hash=HASH → compare benchmark result with specified hash
    • --no-dmi → disable DMI/SMBIOS reader

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

  SOLUTION

Minimum Scan Engine:

9.800

SSAPI PATTERN File:

2.795.00

SSAPI PATTERN Date:

01 Jan 2025

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

    • Troj.ELF.TRX.XXELFC1DFF046

Step 2

Scan your computer with your Trend Micro product to delete files detected as PUA.Linux.XMRig.G. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.