A new cryptomining campaign has been discovered targeting Linux systems for Monero cryptocurrency which identifies the processes of other cryptominers on the machine to terminate them. To ensure that the activity of miners does not revive, CroniX will delete the binaries of other miners on the system. It will also check the names of the processes and terminate those that consume 60% of the CPU or more. CroniX exploits the Apache Struts vulnerability CVE-2018-11776 to inject OGNL expressions (Object-Graph Navigation Language) into the URL. Researchers claim, “The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.” Although the campaign is targeting Linux Systems with Apache Struts, researchers have seen evidence that there is an operation targeting Windows machines as well.
