Cryptominer Malware Removal

Eradication and Restoration

Quick Resolution of Cryptominer Malware from Client's Systems

When our clients noticed alerts regarding slightly higher CPU usage on their server, they didn't think much of it but wisely had us check. This was the ideal response and it is good they were aware, as we were able to pretty quickly find and resolve the issue. 

Luckily we had prepared them in advance with a good backup and anti-ransomware regime, and even though the attack was unfortunate they were able to recover without major impacts.

Sitrep

Indicators of Compromise

Massive Server Spikes

The clients were alarmed when their server usage increased dramatically in a short period of time, both in CPU, disk space and network usage, with figures over 199% increases.

Unexpected Users

The web server did not normally have multiple users for its access, but new user accounts were found to have been created.

Unrecognized Running Scripts

Upon checking there were unknown scripts of uncertain origin which were running on the server. These were later identified as a xmrig cryptominer mining Monero on the client's server.

Potential Errors in Backup Regime

Though the client had a strong backup regime, there were apparent issues and potential conflicts in the backups that might have been caused by the malicious actors attempting to prevent eradication.

AT THE HORIZON

Challenges

Persistant Malware

Even when removed, the malware was very persistant and pernicious in its capacity to reinstall itself and evade eradication.

Unmaintained and Patched Server

An issue overall was that the particular server, though in use, had been neglected somewhat in its maintenance, patching and updating.

Vulnerability Management

A main takeaway challenge and area for improvement is maintaining better scanning and monitoring for vulnerabilities in the software and services on the server.

Quick Action

SEIRIM Team Deployed Best Practice Steps to Eliminate the Malware and Recover the Services

SEIRIM's followed the incident response plan prototcols to properly identify, contain, eradicate and recover from the malware. Careful steps were taken to thoroughly ensure the threat had actually been removed as indicators were apparent the malware had propensity to return.

Identification of the Malware

The tool 'htop' was used to identify the proceess that was consuming and causeing the high CPU usage. The cause was a script of the /root/c3pool/xmrig --config=/root/c3pool/config.json.

 

This is xmrig is a cryptominer,  which is an open-source cryptocurrency miner primarily developed for mining Monero, although it supports other types of coin. Written in C and C++ the source code of this coin miner is available to the public. It is a legitimate piece of software that threat actors unfortunately abuse. Offical doc for the xmrig : https://xmrig.com/docs/miner

Containment of the Malware

SEIRIM immediately took the web server offline, terminated its services and quarantined the server from the rest of the network and client assets. Outgoing connections were disabled and account access credentials were changed thoroughly.

 

During stopping/killing the crypto miner, it was found that the proccess above can't kill manually or directly, and then found with the command systemctl list-unit-files | grep enabled, there were an c3pool_miner.service registered in the server core service and running in the backend. These were then stopped.

Investigating Vector of the Infection

For the server, when check the login record log of the ssh, evidence was found that it was breached via a brute-force attack with the ssh service.

 

A remedy applied in hardening phase in response was to change the policy and port of the ssh service to avoid the Brute-force attack and to reset the password/credential of the root/normal user.

Determine Vulnerability Enabling Issue

The server and services had been running a long time, without enough maintenance or observation. The software itself was running ok, but a new vulnerability had been discovered in the wild: CVE-
2025-66478 (Next.js)  and  CVE-2025-55182 (React).

 

Many server deploying the Nextjs has been attacked, and now also our client's project, which was developed based on the framwork of the Nextjs 15.5.3 with the React 19.1.0.

Maximum Severity CVSS 10.0

The critical vulnerability identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.

 

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server

Upgrade and Patching of all Assets

For current project that based on the Nextjs 15.5.3, we need to upgrade its version into the latest version according to the offical docs. Offline backups were tested for presence of malware, when found to be clean they were upgraded, patched and used for restoration of the services.

 

Some issues regarding versioning were encountered, but solved after some time and the backup process improved. After deployment, multiple rounds of re-scanning and testing enacted to confirm clean resolution.

Imagery

Activity Records

Showing XMRig
Updating and Patching
High CPU - Network Usage Alert Email
CPU - Network - Disk Usages Spike
CVE Description
Showing Cryptominer 2
Disable Cryptominer
Cryptominer Restarts - Reinstalls itself
Test and Check Users
CVE Info
Debugging React