Blog | G5 Cyber Security

Cryptominer Uses Cron To Reinfect Linux Host After Removal

A cryptomining dropper malware has been spotted by security researchers while gaining persistence on Linux hosts by adding cron jobs to reinfect the compromised machines after being removed. Malware was initially discovered on a web server with a maxed out CPU by a malicious process. The malware will then gain persistence on the infected server by creating a cron job that runs every minute, checking for the cr2.sh Bash script used in the initial infection stage, and automatically re-downloading and executing if missing.

Source: https://www.bleepingcomputer.com/news/security/cryptominer-uses-cron-to-reinfect-linux-host-after-removal/

Exit mobile version