H2Miner Targets Linux, Windows, and Containers to Illicitly Mine Monero
FortiGuard Labs researchers have uncovered a sophisticated cryptomining campaign where the H2Miner botnet, active since late 2019, has expanded its operations to target Linux, Windows, and containerized environments simultaneously.
The campaign represents a significant evolution in cross-platform cryptocurrency mining attacks, with threat actors leveraging updated scripts and infrastructure to maximize financial gains from compromised systems.
The investigation revealed that H2Miner operators have updated their arsenal with new deployment URLs while maintaining core functionalities from previous campaigns documented in 2020.
The malware continues to rely heavily on shell scripts to disable security defenses and deploy Kinsing malware, but now demonstrates enhanced awareness of cloud-specific defenses and containerized environments.
Notably, the updated scripts specifically target Alibaba Cloud Security Center agents and processes running within Docker containers, indicating the operators’ adaptation to modern cloud infrastructure.
Campaign Infrastructure
The threat actors have established a diverse infrastructure hosting multiple commercial tools across different operating systems to maximize their attack surface.
The campaign deploys KinSing on Linux systems, while Windows environments face a broader array of threats including Lumma stealer, DCRat, Cobalt Strike, Amadey, RustyStealer, and ScreenConnect.
Container environments are specifically targeted with XMRig miners, demonstrating the operators’ comprehensive approach to resource hijacking.
The infrastructure utilizes multiple VPS providers across different geographical locations, including HostGlobal plus VPS, Aeza international VPS, and Hangzhou Alibaba Advertising Co. ISP.
This distributed approach helps the operators maintain resilience against takedown efforts while ensuring continuous access to compromised systems.
The campaign also leverages legitimate services like Bitbucket for payload hosting and Krakenfiles for downloading ransomware wallpapers, making detection and blocking more challenging.
AI-Generated Ransomware Variant Emerges
Perhaps the most intriguing development in this campaign is the emergence of Lcrypt0rx, a new variant of the Lcryx ransomware that researchers suspect was generated using artificial intelligence.
The ransomware exhibits numerous characteristics indicative of AI-generated code, including function duplication, incorrect persistence mechanisms, flawed encryption logic, and redundant object creation.
Analysis using specialized AI detection tools returned confidence scores in the 85-90% range, supporting the hypothesis of automated code generation.
The Lcrypt0rx variant demonstrates several technical flaws that suggest automated generation without proper validation.
The ransomware attempts to establish persistence through WinLogon and Image File Execution Options but fails due to improper implementation.
Its encryption routine uses simple XOR encoding with an 8,192-character master key, but lacks proper key management, making recovery relatively straightforward through basic cryptanalysis.
The malware also includes illogical behaviors such as attempting to open encrypted files in Notepad and targeting non-existent folder paths across different Windows versions.
Despite its technical shortcomings, Lcrypt0rx serves as an effective system disruptor, disabling critical Windows utilities, modifying registry keys to prevent user access to system tools, and overwriting the Master Boot Record to render systems unbootable.
The ransomware also downloads and executes additional payloads, including miners and information stealers, effectively serving as a delivery mechanism for the broader H2Miner campaign.
The convergence of H2Miner and Lcrypt0rx operations represents a concerning trend in cybercrime commoditization, where access to large language models and prebuilt tools significantly lowers the barrier to entry for threat actors.
Organizations should implement comprehensive security measures, including network monitoring, endpoint protection, and user education, to defend against these evolving multi-platform attacks.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| IP Addresses | 78.153.140.66 | HostGlobal plus VPS |
| 80.64.16.241 | LIR limited ISP | |
| 89.208.104.175 | Aeza international VPS | |
| 47.97.113.36 | Cobalt Strike server | |
| 176.65.137.203 | Dolphin host VPS | |
| 185.156.72.96 | Amadey C2 server | |
| File Hashes | 06a482a6096e8ff4499ae69a9c150e92 | Lcrypt0rx.vbs |
| 1bf1efeadedf52c0ed50941b10a2f468 | ce.sh script | |
| 57f0fdec4d919db0bd4576dc84aec752 | XMRig miner | |
| 9e4f149dae1891f1d22a2cea4f68432e | Trojan with fake Google resources | |
| Wallets | 4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC | Monero wallet (H2Miner) |
| 89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X | Monero wallet |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
