What is Frankenstein, and why is it a threat?
Recently, a new type of cryptojacking threat was identified on Pastebin, named “Frankenstein” due to its peculiar composition: a “monster code” created by copying and pasting scripts and functions with little cohesion. Despite its lack of sophistication, this threat has become an effective method to mine cryptocurrencies without users’ consent, endangering both personal and corporate systems.
How does the cryptojacker work? The story of two scripts
The Frankenstein malware operates through two key scripts that collaborate to deploy XMRig, a well-known cryptocurrency miner:
- mr.sh: This script is messy and unprofessional, filled with redundancies, repeated lines of code, and even typos. Its goal is clear: to eliminate any competing processes on the machine, ensuring exclusive use of its resources.
- 2mr.sh: In stark contrast to mr.sh, this script is more professional, featuring clear and organized logic. This file installs XMRig and a library named 1.so, designed to hide the mining process from the system.
The code’s origin: Different authors?
The quality disparity between the two scripts suggests that 2mr.sh was created by a more skilled group, while mr.sh appears to have been modified and extended using fragments of code copied from various online sources. This “copy-paste” approach highlights that expertise is not always necessary to create a functional threat.
Cybersecurity lessons: Simplicity that comes at a cost
This case illustrates that not all cyberattacks are complex or highly developed. Often, cybercriminals rely on basic tools and inadequate security measures in systems. The emergence of this “Frankenstein” malware underscores the importance of solid cybersecurity practices, such as detecting anomalous processes and restricting permissions, particularly in Linux environments, where this malware disguises itself.
Conclusion: A simple yet lethal threat
The Frankenstein cryptojacking case demonstrates that even attacks with “monster code” can achieve their goal. While the cybercriminals behind this threat may lack expertise, their ability to quickly assemble code and exploit online resources underscores the need to remain vigilant against all potential threats, no matter how simple they may seem.