While analyzing this script which downloads and executes the cryptominer, F5 researchers found that the code is sophisticated, well obfuscated, and long—about 200 lines versus the typical 20 or so lines. The authors clearly put a lot of time and attention into every step, from developing the malware dropper to creating the executable JAR file and finally, executing the remote code execution (RCE) in order to install the cryptominer. Notably this script was written in bash and python; it is not compiled code. Though leveraging the Groovy plugin metaprogramming in order to exploit Jenkins Dynamic routing is common, the method the author uses is somewhat unique.

When a cryptominer is installed, it uses valuable computational resources in order to mine different cryptocurrencies. While some miners are set to only run when a computer is in a “low power” state (or when you’re not using it), they often run all the time. Along with rising electric bills, this means your computer would be running at full speed all the time. This can cause heat damage to hardware and slower performance for applications. If applications aren’t properly saving due to space constraints or backing up fully due to the cryptominer running, there can also be data loss. For both enterprises and individuals, this can be costly; the attacker is the only one who profits.

The Payload

After initial infection through the Jenkins vulnerability, the JAR file executes bash commands on the victim’s system.