Resurgence/Lingering of ‘mimu’ Cryptomalware

The recently disclosed Confluence vulnerability (CVE-2023-22527) has been actively exploited by threat actors deploying a long-standing cryptomalware strain known as “mimu.” This malware first emerged around 2019-2020 and has been continually repurposed to capitalize on new vulnerabilities, primarily targeting web servers via HTTP request bugs and remote code execution flaws.

The core functionality of mimu is straightforward yet insidious. It terminates competing processes and services to ensure unimpeded operation, then proceeds to consume system resources for cryptocurrency mining purposes, primarily targeting the CPU-intensive Monero cryptocurrency.

While the malware’s process names have evolved over time (kthzabor, kthreaddkk, kthreaddk, kthreaddi, knthread), its underlying code can be traced back to the notorious Sysrv botnet, known for its worm-like propagation mechanisms leveraging saved SSH keys on compromised systems.

Remediating a kthmimu infection requires a multipronged approach. Admins should immediately identify and terminate any suspicious, resource-intensive processes matching the known variants. Once those processes are eliminated remove all traces of them and find any related log files and make sure there isn’t any further persistence. Furthermore, hardening measures like prompt patching, disabling unnecessary services, and tightening SSH key management policies are critical to prevent reinfection. In the senario of the Confluence vuln, proper patch and risk managmenet come into play as well.

Indicators of Compromise (IOCs): URL end paths:

~/ap.txt
~/kthmimu.txt
~/sys.x86_64
~/ko
~/ldr.sh
~/ap.sh
~/curl
~/kik

IOC’s: Hashes: kthreaddk (SHA256):

0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404

Powershell Script: ldr.ps1

bcb6c969aca3f6170299a26388f4f3549f8c3626335588236828fa3c6fa15b71

Shell Scripts (SHA256): ldr.sh

832c8adffce442b0c5b9e4d6d5b8fbb101d36fe697ae1392ca0018c4511de44f
4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31f
F13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f

sys.x86_64 (SHA256):

847d80d87549a0e3995816ad60c82464bb9d8823013beb832f5b31a2e4ef0445 packed 9d9150e2def883bdaa588b47cf5300934ef952bea3acd5ad0e86e1deaa7d89c5 unpacked

sys.exe (SHA256):

39be5aa02d074dcecebe251d3f5a62073620c340901128bb751404b17770d9be

The persistent evolution of kthmimu underscores the escalating threats cryptomalware pose. As cyber criminals continually retrofit existing malware strains, defenders must remain vigilant, maintaining comprehensive security hygiene and promptly addressing newly disclosed vulnerabilities to mitigate the risk of illicit cryptocurrency mining operations compromising their systems.

The resurgence of kthmimu cryptomalware highlights the relentless nature of cyber threats and the importance of proactive security measures. As threat actors continue to repurpose and evolve existing malware strains, organizations must prioritize prompt patching, robust access controls, and continuous monitoring to safeguard their systems from cryptomalware and other malicious payloads. Failing to address these threats not only risks system compromise but also facilitates the proliferation of illegal cryptocurrency mining operations, which can have far-reaching consequences for the cyber ecosystem. Staying informed, implementing defense-in-depth strategies, and maintaining a security-focused mindset are crucial in combating the ever-evolving landscape of cyber threats.