Bash Wars

Chris Hall
Cloud Security Researcher, Lacework Labs

Whether you’re an engineer or a system administrator, you’ve probably found bash to be a go-to resource for automating your Linux tasks. Bash is so useful that it has become popular among malware authors as well. This is because it can easily perform many tasks that are necessary for malware installation and system persistence. 

Cryptomining has become the main malware targeting cloud infrastructure and is especially problematic in that it steals the limited computing power needed for your workloads. Cryptominers are using bash to maximize their ability to consume your valuable processing power. One of the methods for this is to identify and terminate competing cryptominers. 

Our most recent whitepaper, Bash Wars: An examination of bash malware tactics and campaigns, analyzed some of these methods and looked at some of the sets of activity and campaigns. Primary take-aways from the paper include:

  •       There is an extremely high level of code reuse among cryptomining bash installers with 94% redundancy of bash commands. The paper ranks the most used commands in the appendix
  •       Primary methods for targeting other cryptominers include process termination, network termination, and updating of firewall and hosts files
  •       The majority of cryptomining campaigns can be clustered into one of five sets of activity
  •       Thousands of bash downloader specimens can be linked to the same template

Also included with the whitepaper are indicators and Yara rules for identification of similar cryptomining installers and downloaders. The paper can be viewed here.