VERY IMPORTANT

Recently, Unit 42 researchers spotted a UPX-packed cpuminer being delivered in malicious traffic. While the malicious traffic appears to be an exploit on first sight, there's also evidence of a backdoor in the malicious request, suggesting a backdoor is running on the compromised host. Upon receipt of the requested payload, the backdoor proceeds to download a cpuminer variant and carry out its cryptojacking operation. In addition to a brief analysis and comparison of the backdoor command traffic from three incidents against education organizations in Washington State, this blog includes a general examination of mini shell and cpuminer payloads downloaded by the backdoor webshell.