AT&T's Cybersecurity Branch Breaks Down Crypto Miner Threat to Email Servers

A new technical analysis from AT&T Alien Labs offers an inside look at how a pernicious form of monero mining malware infiltrates email networks.

AccessTimeIconJan 9, 2020 at 2:00 p.m. UTC
Updated Sep 13, 2021 at 12:07 p.m. UTC

AT&T's Alien Labs is dipping its toes into cryptomining malware analysis with a new technological breakdown of how a monero miner infiltrates networks. 

Released Thursday, the report by security researcher Fernando Domínguez provides a step-by-step walkthrough of how one rather low-profile cryptojacker infects and spreads across vulnerable Exim, Confluence and WebLogic servers, installing malicious code that mines monero through a proxy.  Exim servers represent more than half of all email servers, according to ZDNet

The worm first injects target servers with a BASH script that checks for, and kills, competing mining processes before attempting to infiltrate other known machines in the network. Crypto-miners often kill off competing miners when they infect a system, and for one very simple reason: The more CPU a different process hogs, the less is left over for others, according to the report.

Breached servers then download the script’s payload: an “omelette” (as the downloaded executable file variable is termed) based on the open-source monero miner called XMRig.  

Available on GitHub, XMRig is a malware hacker favorite and a common building block in cryptojackers’ arsenal. It has been retrofitted into MacBook miners, spread across 500,000 computers and, in 2017, became so popular that malicious mining reports spiked over 400 percent.

This modified miner does its business via proxy, according to AT&T Alien Labs. That makes tracing the funds, or even discerning the wallet address, nearly impossible without proxy server access. 

Frying this omelette is hard. When it downloads, another file called “sesame” – identical to the original BASH script – downloads as well. This is the key to the worm’s persistency: it hitches onto a cron job with a five-minute interval, enabling it to withstand kill attempts and system shutdowns. It can even automatically update with new versions. 

AT&T Alien Labs began following the worm in June 2019. It had previously been studied by cloud security analysis firm Lacework in July. 

Researchers don’t quite know how widespread this unnamed monero miner is. Alien Labs’ report admits that “it is hard to estimate how much income this campaign has reported to the threat actor,” but notes the campaign is “not very big.”

Nonetheless, it serves as a reminder to all server operators: Always keep your software patched and up to date.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about