Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-netlify.html\"><br \/>\n<meta property=\"og:title\" content=\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/cover-vulnerabilities-exploited-monero-mining-malware-delivered-github-netlify-650.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/cover-vulnerabilities-exploited-monero-mining-malware-delivered-github-netlify-650.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.293474160694\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1169890214\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"7.7677419354839\">\n<div class=\"article-details\" role=\"heading\" readability=\"34.954838709677\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">We looked into exploitation attempts we observed in the wild and the abuse of legitimate platforms Netlify and GitHub as repositories for malware.<\/p>\n<p class=\"article-details__author-by\">By: Nitesh Surana <time class=\"article-details__date\">December 03, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"42.412371134021\">\n<div readability=\"37.699885452463\">\n<p>Earlier this year, a security flaw identified as <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-41773\">CVE-2021-41773<\/a> was <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html#CVE-2021-41773\">disclosed<\/a> to Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. Under certain configurations where Common Gateway Interface (CGI) scripts are enabled for aliased paths, attackers can also use it for RCE. As the initial fix was deemed insufficient, a bypass was later <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html#CVE-2021-42013\">reported<\/a> for the fix and tracked as <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-42013\">CVE-2021-42013<\/a>.<\/p>\n<p>Official fixes have been <a href=\"https:\/\/httpd.apache.org\/download.cgi#:~:text=Apache%20HTTP%20Server%202.4.51\">rolled out<\/a> by Apache HTTP Server Project. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts. We have already informed GitHub and Netlify of the malicious activities and they have taken down the accounts.<\/p>\n<p><span class=\"body-subhead-title\">Technical details<\/span><\/p>\n<p>We observed attackers targeting the following package and products via security vulnerabilities disclosed in 2020 and 2021 for malicious cryptocurrency-mining activities through samples caught in our honeypots:<\/p>\n<p>1. Atlassian Confluence (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-26084\">CVE-2021-26084<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-26085\">CVE-2021-26085<\/a>)<\/p>\n<p>2. F5 BIG-IP (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2020-5902\">CVE-2020-5902<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-22986\">CVE-2021-22986<\/a>)<\/p>\n<p>3. VMware vCenter (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-22005\">CVE-2021-22005<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-21985\">CVE-2021-21985<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-21972\">CVE-2021-21972<\/a>, and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-21973\">CVE-2021-21973<\/a>)<\/p>\n<p>4. Oracle WebLogic Server (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2020-14882\">CVE-2020-14882<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2020-14750\">CVE-2020-14750<\/a>, and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2020-14883\">CVE-2020-14883<\/a>)<\/p>\n<p>5. Apache HTTP Server (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-40438\">CVE-2021-40438<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-41773\">CVE-2021-41773<\/a>, and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-42013\">CVE-2021-42013<\/a>)<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure1-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure1-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 1. Exploits attempting to abuse servers for malicious cryptocurrency mining from October 19 to November 19, 2021. Data taken from Trend Micro Cloud One\u2122 \u2013 Workload Security.<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"28.754237288136\">\n<div readability=\"8.8474576271186\">\n<p>We found it interesting that all the products and the particular package have had widely distributed <a href=\"https:\/\/github.com\/Al1ex\/CVE-2021-22986\">public<\/a> <a href=\"https:\/\/gist.github.com\/testanull\/5bb925179c4695e51ca400b7370bc252\">proofs of concept<\/a> for <a href=\"https:\/\/www.exploit-db.com\/exploits\/49479\">pre-auth<\/a> <a href=\"https:\/\/packetstormsecurity.com\/files\/164013\/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html\">RCE<\/a>. Looking at the Monero wallet from one such mining pool, we saw that the operation is still ongoing and actively accumulating Monero as of this writing.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure2-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure2-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 2. Cryptocurrency-mining pool <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><span class=\"body-subhead-title\">Services abused: Targeting Windows hosts<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure3-infection-chain-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure3-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 3. Infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.739130434783\">\n<div readability=\"20.855835240275\">\n<p>The miner samples we found work on and abuse both Windows and Linux platforms. While the exploits used differ according to the infrastructure targeted, the batch scripts we identified works on both. We saw the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account. The batch script is renamed as a temporary file and deleted after it starts running in the background.<\/p>\n<p>The scripts (c3.bat) are a modified version of Monero-mining helper scripts abridged from <a href=\"https:\/\/github.com\/C3Pool\">GitHub<\/a>, and these begin checking if the current session has administrative privileges. If the privilege is of the Administrator, then the ADMIN flags are set. Afterward, the length of the Monero wallet address is calculated. If the length is not 106 or 95 characters, the script exits. If it is 106 or 95, it jumps to \u201cWALLET_LEN_OK\u201d statement.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure4-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure4-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 4. The batch scripts observed are modified versions of helper scripts abridged from GitHub.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure5-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure5-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 5. Checks for administrative privileges and \u201cXMR WALLET\u201d flag to calculate address length<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The script further conducts a series of checks in the system, such as if the USERPROFILE environment variable is defined, and whether utilities like wmic, powershell, find, findstr, and tasklist are available or not.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure6-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure6-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 6. Checking the system for availability of environment variable and utilities<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure7-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure7-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 7. Getting the results for utilities\u2019 availability in the system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The wmic utility is used to further enumerate specific parameters in the system, such as the number of processors, maximum clock speed, L2 and L3 cache sizes, and CPU sockets. These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure8-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure8-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 8. Enumerating the system\u2019s parameters to determine cryptocurrency mining rate<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>After identifying the CPU\u2019s computing power, the running c3pool_miner is removed from the host. The zipped miner (c3.zip) is then downloaded from the attacker-controlled GitHub repository and PowerShell is used to unzip the downloaded file. If the unzip attempt fails, 7z is downloaded to extract the zipped file, and both the downloaded files (7za.exe and c3.zip) are deleted after.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure9-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure9-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 9. Removing traces of the downloaded files after extraction<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The script also goes on to install the latest version of XMRig for Windows from the official repository. After unzipping the downloaded file, the 7z binary and XMRig ZIP files are removed. Once the miner is successfully installed, the config files are modified using PowerShell.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure10-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure10-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 10. Installing the latest XMR version in the system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure11-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure11-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 11. Configuring and modifying the installed miner<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>If the miner is already running (c3.exe), the execution jumps to an ALREADY_RUNNING label. If not, the miner is executed using the \u201cstart\u201d command in the IDLE priority class. If the current user has administrative privileges, then execution jumps to the label ADMIN_MINER_SETUP. If not, persistence is added by modifying the Startup directory with the batch scripts to execute c3pool XMR miner with the configuration file. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure12-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure12-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 12. Configuring the miner\u2019s admin privileges and persistence<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.934782608696\">\n<div readability=\"9.8260869565217\">\n<p>A service is created from the c3cache_worker using the Non-Sucking Service Manager (<a href=\"https:\/\/nssm.cc\/\">NSSM<\/a>). NSSM is a service helper program that helps install applications as services, and with it a user can specify logging to user-defined files.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure13-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure13-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 13. Using NSSM to constantly run the miner as a background application in the infected system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><span class=\"body-subhead-title\">Targeting Linux hosts<\/span><br \/>The shell script starts with an infinite loop to remove all competing cryptominers found in the infected system, such as kinsing, kdevtmpfsi, pty86, and .javae.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure14-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure14-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 14. Removing all the cryptocurrency-mining competitors and their components found in the infected system in a loop<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>After all the competing miners are wiped out, the attribute of \/var\/spool\/cron\/root is made immutable and crontab is reloaded. Then, if there are any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux that are raking up more than 60% of CPU usage, they are terminated.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure15-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure15-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 15. Stopping all other processes except those necessary for running a miner in the system<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>A function \u201cfunc1\u201d (redacted) is called and the loop is reiterated after every 30 seconds.<\/p>\n<p>We observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER in GitHub and Netlify. In <i>func1<\/i>, a process \u201cjava.xnk\u201d is checked for and if the CPU usage is above or equal to 60%, the process ID is fetched into a variable \u201cp\u201d. If the variable is empty, then the process is killed and three directories are created, namely:<\/p>\n<ul>\n<li>a. \/var\/tmp\/java.xnk<\/li>\n<li>b. \/var\/lock\/java.xnk<\/li>\n<li>c. \/tmp\/java.xnk<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure16-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure16-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 16. The variable DIR contains the value of the valid TMP directory that was created.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>Different paths for \u201cwget\u201d and \u201ccurl\u201d binaries are checked for and assigned to variable Wget. A file \u201cjava.xnk.bionic\u201d is checked in the path \u201c$DIR\u201d. If the file doesn\u2019t exist, the valid Wget command is used to download and copy the file named \u201cbionic\u201d (a Monero miner) and \u201cconfig.json,\u201d which contains the Monero wallet address. Executable permissions are assigned for the downloaded binary and the binary is executed via nohup.<\/p>\n<p>Similarly, the following binaries are downloaded and executed in place of the file \u201cbionic\u201d and repeat the process:<\/p>\n<ol>\n<li>focal as java.xnk.focal<\/li>\n<li>freebsd as java.xnk.freebsd<\/li>\n<li>linuxstatic as java.xnk.linux<\/li>\n<li>xenial as java.xnk.xenial<\/li>\n<li>xmr-stak as java.xnk.stak<\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/figure17-vulnerabilities-abused-for-monero-mining-github-netlify.png\" alt=\"figure17-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\"><figcaption>Figure 17. Assigning binaries to Wget and executable permissions<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.05311778291\">\n<div readability=\"43.602771362587\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>Based on the frequency of attempts on the targeted products and the particular package in the past month, we believe there are more servers that remain unpatched and exposed to these exploits. More importantly, malicious actors will continue targeting these products and package for intrusion based on the availability of the proofs of concept, as well as the higher likelihood that these servers have yet to be patched. Moreover, due to the wide usage of Linux and Windows platforms and the fact that all the miners identified here work on both, illicit cryptocurrency mining makes for a lucrative business with regard to the high volume of systems that can be targeted.<\/p>\n<p>The abuse of legitimate platforms such as GitHub and Netlify will continue due to the traffic being encrypted over HTTPS. If the machines targeted have intrusion detection and prevention solutions (IDS\/IPS) in place, network artifacts will not contribute for detection. Moreover, IP reputation services will not flag these platforms as malicious because they are legitimate sources of programs and organizations. The CDNs of both platforms also offer ease and convenience in setting up an operation, as well as provide availability and speed \u2014 thus also aiding malicious actors with a wide and fast malware infection capability regardless of a victim\u2019s location. These two factors in CDNs will likely prompt a development in the behavior of malicious actors who abuse <a href=\"https:\/\/threatpost.com\/cryptocurrency-mining-malware-hosted-in-amazon-s3-bucket\/127643\/\">these platforms<\/a> for infection, even for routines and attacks unrelated to cryptocurrency mining.<\/p>\n<p>From another perspective, the malicious actors targeting these devices can appear almost unsophisticated considering the use of public proofs for attacks. The actors also operate on a regular basis and target as many machines as they can, given that they continue operating and getting cryptocurrency in their respective wallets despite the suspension of their GitHub and Netlify accounts.<\/p>\n<p><span class=\"body-subhead-title\">Trend Micro solutions<\/span><\/p>\n<p>Enterprises should consider using security solutions such as the <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/cloud-migration-security.html\">Trend Micro Cloud One\u2122<\/a> platform, which protects cloud-native systems by securing continuous integration and continuous delivery (CI\/CD) pipelines and applications. The platform includes:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Workload Security: runtime protection for workloads. Trend Micro Cloud One clients are protected from this threat under these rules:<\/li>\n<\/ul>\n<p><b>Intrusion Prevention Rules<\/b><\/p>\n<ol>\n<li>1011171 – Apache HTTP Server Directory Traversal Vulnerability (CVE-2021-41773 and CVE-2021-42013)<\/li>\n<li>1011183 – Apache HTTP Server Server-Side Request Forgery Vulnerability (CVE-2021-40438)<\/li>\n<li>1011117 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)<\/li>\n<li>1011177 – Atlassian Confluence Server Arbitrary File Read Vulnerability (CVE-2021-26085)<\/li>\n<li>1010850 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)<\/li>\n<li>1010983 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)<\/li>\n<li>1011167 – VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)<\/li>\n<li>1005934 – Identified Suspicious Command Injection Attack<\/li>\n<li>1005933 – Identified Directory Traversal Sequence In Uri Query Parameter<\/li>\n<li>1010388 – F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)<\/li>\n<li>1010590 – Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)<\/li>\n<li>1011212 – F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)<\/li>\n<\/ol>\n<p><b>Log Inspection Rules<\/b><\/p>\n<ol>\n<li>1003447 \u2013 Web Server \u2013 Apache<\/li>\n<\/ol>\n<p><b>Integrity Monitoring Rules<\/b><\/p>\n<ol>\n<li>1002851 – Application – Apache HTTP Server<\/li>\n<\/ol>\n<ul>\n<li><span class=\"rte-red-bullet\"><\/span>Network Security: cloud network layer intrusion prevention system (IPS) security. Trend Micro Cloud One clients are protected from this threat under these rules:<\/li>\n<\/ul>\n<ol>\n<li>1125: HTTP: ..\/.. Directory Traversal<\/li>\n<li>40260: HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability<\/li>\n<li>40417: HTTP: Atlassian Confluence Server S Endpoint Information Disclosure Vulnerability<\/li>\n<li>39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability<\/li>\n<li>39923: HTTP: VMware vCenter Server Remote Code Execution Vulnerability<\/li>\n<li>40382: HTTP: VMware vCenter AsyncTelemetryController Arbitrary File Write Vulnerability<\/li>\n<li>40361: HTTP: VMware vCenter Analytics service File Upload<\/li>\n<li>39352: HTTP: F5 BIG-IP iControl REST Interface Login Request<\/li>\n<li>39364: HTTP: F5 BIG-IP bash Suspicious Command Execution Request<\/li>\n<li>39313: HTTP: F5 BIG-IP TMM Buffer Overflow Vulnerability<\/li>\n<li>22087: HTTPS: F5 iControl iCall Script Privilege Escalation Vulnerability<\/li>\n<li>37841: HTTP: F5 BIG-IP TMUI Code Execution Vulnerability<\/li>\n<li>39360: HTTP: F5 BIG-IP iControl REST filePath Command Injection Vulnerability<\/li>\n<li>38380: HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability<\/li>\n<\/ol>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>View the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/IOCs-vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.txt\">here<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-gitHub-netlify.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We looked into exploitation attempts we observed in the wild and the abuse of legitimate platforms Netlify and GitHub as repositories for malware. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":44253,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9511,9508,9555,9513],"class_list":["post-44252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware"],"yoast_head":"\n<title>Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-03T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/cover-vulnerabilities-exploited-monero-mining-malware-delivered-github-netlify-650.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify\",\"datePublished\":\"2021-12-03T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/\"},\"wordCount\":1990,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Malware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/\",\"name\":\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png\",\"datePublished\":\"2021-12-03T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/12\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png\",\"width\":2105,\"height\":1250},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/","og_locale":"en_US","og_type":"article","og_title":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-12-03T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/l\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/cover-vulnerabilities-exploited-monero-mining-malware-delivered-github-netlify-650.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify","datePublished":"2021-12-03T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/"},"wordCount":1990,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Malware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/","url":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/","name":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png","datePublished":"2021-12-03T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/12\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify.png","width":2105,"height":1250},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=44252"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/44252\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/44253"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=44252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=44252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=44252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":44252,"date":"2021-12-03T00:00:00","date_gmt":"2021-12-03T00:00:00","guid":{"rendered":"urn:uuid:5ca58cd1-e3b4-64be-f85d-4390816f27e7"},"modified":"2021-12-03T00:00:00","modified_gmt":"2021-12-03T00:00:00","slug":"vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vulnerabilities-exploited-for-monero-mining-malware-delivered-via-github-netlify\/","title":{"rendered":"Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify"},"content":{"rendered":"