The malware targets the Web Servers on a Linux platform to exploit system resources in order to generate crypto money. If removed, reinstall yourself.
The chess game between hackers and Web server administrators continues unabated. After the wave of crypto-miners recorded in recent months, in fact, all IT managers have taken countermeasures to secure their systems by implementing, in particular, resource consumption monitoring systems to detect suspected components and disable them.
The response of the cyber-criminals, however, was not long in coming. As Luke Leal, a Sucuri researcher, explains, the pirates are using new techniques to ensure the persistence of their miner so that they can continue their work even if someone intervenes to remove them.
The case analyzed by Leal in his report explains the techniques used. The attack vector is a bash file, called cr2.sh, which, once executed, starts the infection procedure following a precise procedure. First, the malware takes care of checking for the presence of a series of processes including Xmrig and CryptoNight.
If they are present, it ends them. The logic, is to clean up any miner installed by other cyber criminals.

Once the machine has been cleaned of unwanted competitors, it starts the connection to a default server from which it downloads the miner as a file that is stored as / tmp / php. Then download from the same server the configuration file that allows the execution of the script.
Once the process is loaded into memory, the two files used to start the process are deleted in order to hide the traces of the infection.
The real touch of class, however, is the technique used to guarantee the persistence of the process. The script, in fact, uses Cron (a job scheduler used in Unix environment - ed) to check every minute if the process is active. If it has been deleted, the cronjob starts downloading the cr2.sh file and restarts the entire process.
In this way, every effort to definitively eliminate the crypto-miner from the Web Server is destined to fail. At least until the administrator checks the Cron queue and realizes the presence of the job in question.