Cryptomining Botnet Targets Unpatched Vulnerabilities in Cloud Servers

Attackers often keep upgrading their tools to scan for and infect new devices by exploiting unpatched vulnerabilities. Recently, the z0Miner cryptomining malware was spotted probing cloud servers by exploiting a new set of unpatched vulnerabilities.

z0Miner active campaign

Qihoo 360 Netlab researchers have observed z0Miner’s active hunting against vulnerabilities addressed in 2015 and earlier in ElasticSearch and Jenkins servers.

  • The botnet was using exploits targeting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers.
  • After compromising a server, the malware will first download a malicious shell script and sets up a new cron entry to periodically grab and execute malicious scripts from Pastebin.
  • Further, the botnet downloads a mining kit containing an XMRig miner script (java.exe), a config file (config.json), and a starter script ( It starts to mine for Monero (XMR) cryptocurrency in the background.

Earlier campaigns

Since its emergence last year, z0Miner has been observed gaining persistence via crontab and mining for Monero cryptocurrency.

  • According to the Tencent Security Team, z0Miner was actively exploiting two Weblogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883 to spread to other devices.
  • In addition, the botnet was spreading laterally on the network of already compromised devices via SSH.
  • It has already compromised thousands of devices using recently identified similar attack logic.


z0Miner’s recent campaign demonstrates how vulnerabilities identified years ago, if not patched, can be used by cybercriminals for making a profit. Therefore, it becomes important for organizations to keep all their systems and applications updated with the latest patches to avoid such threats.


Next Post

Cryptocurrency Platforms Witness Another Round of Cyber Threats

Sat Mar 13 , 2021
Since the recent boom in the prices of cryptocurrencies, cybercriminals are continuously targeting cryptocurrency platforms and exchanges, using a wide variety of attack tactics. Bitdefender Antispam Lab researchers have discovered an ongoing phishing campaign targeting Coinbase platform users in an attempt to steal their account credentials and drain their cryptocurrency […]