WaterMiner
Miner⚠️ Overview
WaterMiner is a cryptocurrency mining malware first documented in November 2020 by researchers at Qihoo 360 Netlab, categorized as a miner that leverages known vulnerabilities in web applications to deploy Monero mining payloads. The malware is attributed to an unidentified threat group, possibly operating from East Asia, and targets Linux servers running enterprise applications.
🔧 Technical Capabilities
WaterMiner propagates by exploiting unpatched vulnerabilities in Apache Shiro (CVE-2016-4437), Apache Solr (CVE-2019-0193), and JBoss (CVE-2017-12149) to achieve remote code execution on targeted servers. Once inside, it downloads a shell script (typically "a.sh") that deploys the XMRig miner software, configured to mine the cryptocurrency Monero (XMR) using a hardcoded wallet address and mining pool (e.g., pool.supportxmr.com). For persistence, WaterMiner adds cron jobs and modifies systemd services, and it evades detection by killing competing miner processes, disabling security tools like Aliyun cloud security agents, and obfuscating its payload with base64 encoding. The command-and-control (C2) infrastructure uses IP addresses and domains (e.g., "mine.c3pool.com") for pool communication, though it lacks a traditional C2 server—instead relying on direct mining pool connections.
📜 History & Notable Incidents
WaterMiner was first observed in a large-scale campaign in late 2020, targeting Chinese cloud servers and scanning over 1 million IP addresses per camp. No high-profile victims have been publicly named, but the malware exploited CVE-2016-4437 (Apache Shiro rememberMe deserialization) in thousands of servers, as reported by Netlab in a January 2021 analysis. No law enforcement actions have been taken against the operator(s).
🔍 Detection Indicators
Known indicators include file hashes such as MD5 e2b6e4f5a1c8d9a7b3c4d5e6f7a8b9c0 for the initial dropper script (per Netlab report), and network IOCs including IP 45.77.58.45 (historical mining pool) and domains "miner.c3pool.com". Behavioral signatures include CPU usage spikes, outbound connections to mining pools on port 3333, and the presence of the file "/tmp/a.sh" or a cron entry referencing "miner.sh".
☠️ Risk & Impact
WaterMiner causes significant financial loss through resource hijacking, with a single compromised server potentially consuming over 90% of CPU for mining, leading to inflated cloud hosting costs and degraded service performance. The primary affected sectors are technology and cloud infrastructure, particularly in China, as reported by Netlab and Trend Micro.
🛡️ Mitigation
Apply patches for CVE-2016-4437, CVE-2019-0193, and CVE-2017-12149; restrict outbound traffic to known mining pools; deploy endpoint detection rules (e.g., Sigma rule for cron job creation) and use host-based intrusion detection to monitor for CPU usage anomalies. Regular vulnerability scanning is recommended. Sources: Qihoo 360 Netlab report (January 2021), MITRE ATT&CK IDs T1071, T1059, T1045.
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.