Xanthe Malware

The growth of cloud environments and services has changed the tech landscape tremendously in a myriad of ways. One of the aspects that shouldn't be overlooked is security. While for a considerable period, Windows desktop systems were the primary targets for cybercriminals, and they still being, a significant shift also has taken place. Indeed, more and more hosts put up on the Internet are running Linux and are a far easier prey due to the additional efforts they require when building up their security measures when compared to in-house Windows systems. So far, in 2020, infosec researchers have observed multiple campaigns targeting precisely such systems, with one of the latest being the Xanthe Malware. 

The Xanthe Malware is a multi-modular botnet and a malware threat that exploits incorrectly configured Docker API installations to infect Linux systems. Once inside, Xanthe deploys a variant of the popular XMRig Monero cryptomining malware and harvest client-side credentials and certificates, which it uses to propagate itself.

The initial file that is dropped on the targeted system is a downloader script named pop.sh that is tasked with downloading the executing the main module of the botnet - xanthe.sh. Once deployed, Xanthe drops four additional malware modules, each responsible for a different harmful functionality:

• libprocesshider.so – a process-hiding module
• xesa.txt – a shell script that disables other cryptomining malware threats, as well as security software
• fczyo – a shell script tasked with the removal of competing Docker-targeting cryptominers
• config.json - the binary of the XMRig Monero crypto-miner variant

The main module attempts to spread itself to other systems, both connected to local as well as outside networks. For this purpose, Xanthe obtains the IP address of the compromised host by connecting to icanhazip.com. Then the malware threat harvests client-side certificates by leveraging the 'find' utility. When all keys have been obtained, Xanthe looks for known TCP ports, hosts, and the passwords for those hosts. A loop process iterating on all possible combinations of the obtained information is used in an attempt to connect to remote hosts. If successful, Xanthe downloads and executes its main module on the remote system through command lines.