June 6, 2023

Researhers revealed details of a new malware dubbed Coinstomp, mainly targeting Asian cloud service providers to conduct cryptocurrency mining.

The attackers were using CoinStomp malware in a highly sophisticated campaign designed to exploit CPU resources of targeted devices to mine cryptos. The malware comprises shell scripts that try to control cloud instances hosted by cloud service providers.


The attack tactics of this campaign include timestomping, removing system cryptographic policies, and initiating C2 communications with the malicious software using a reverse shell. The script then downloads and executes new payloads as system wide services with root privileges, including binaries to create backdoors and a custom XMRig version, a Monero mining software. It issues commands to eliminate cryptographic policy files on a system and may even kill cryptographic processes.

CoinStamp has unusual capabilities like it relies on timestomping commands Linux systems to update file modification and access time. The malware also tampers with Linux server cryptographic policies, which can otherwise prevent malicious executables from being installed or executed on the system. Disabling system-wide cryptographic policies using a single Kill command


The researchers further examined clues in code that hinted towards the involvement of a cryptojacking group called Xanthe. But it’s unclear to conclude at point of time due to insufficient details

Leave a Reply

%d bloggers like this: