{
	"id": "41d833d7-1dce-47d8-94e5-b9fc8c85ee20",
	"created_at": "2026-04-06T00:16:10.566438Z",
	"updated_at": "2026-04-10T13:12:03.691467Z",
	"deleted_at": null,
	"sha1_hash": "fadcfb66383cc37809e3a948850a4696d03c69e3",
	"title": "New Pervasive Worm Exploiting Linux Exim Server Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2111482,
	"plain_text": "New Pervasive Worm Exploiting Linux Exim Server Vulnerability\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 19:01:07 UTC\r\nRESEARCH BY: AMIT SERPER AND MARY ZHAO\r\nEXECUTIVE SUMMARY\r\nThere’s an active, ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack\r\nleverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet\r\nfor other machines to infect, and initiates a crypto miner.\r\nCurrently, more than 3.5 million servers are at risk worldwide.\r\nThe attack scours the Internet for a vulnerability discovered last week, CVE-2019-10149 using already\r\ninfected servers to spread to as many as possible.\r\nThe target of this attack, exim servers, run almost 57% of the Internet's email servers.\r\nThe attack culminates in the downloading of a coin miner payload, which as we have seen previously with\r\nWannaMine can have a negative impact on any organization.\r\nThese kinds of attacks have big implications for organizations. The recovery process from this type of\r\nattack is costly and time consuming.\r\nWant to read about a similar incident?  Check out our breakdown on WannaMine.\r\nSECURITY RECOMMENDATIONS\r\nPatch every EXIM installation you have in your organization and make sure that it is updated to the most\r\nrecent version, 4.92 at the time of this writing.\r\nLook for any unfamiliar cronjobs in your crontab and remove them. Restore legitimate cron jobs from\r\nexisting backups.\r\nDelete the authorized key used for SSH backdoor access.\r\nKill the coinminer process and delete the coinminer.\r\nCheck your firewall and access logs for the following hostnames:\r\nhttps://an7kmd2wp4xo7hpr.tor2web.su\r\nhttps://an7kmd2wp4xo7hpr.tor2web.io\r\nhttps://an7kmd2wp4xo7hpr.onion.sh\r\nRe-image any compromised servers.\r\nINTRODUCTION\r\nCVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread\r\ncampaign to attack exim servers and propagate across the Internet.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 1 of 14\n\nWhen first discovered by the Qualys research team, it was dubbed “The Return of the WIZard”. Successfully\r\nexploiting this vulnerability enables both local and remote command execution as root.\r\nWe are aware of an initial wave of attacks that use this vulnerability as described by Freddie Leeman on June 9,\r\n2019. The first hacker group began pushing exploits from a C2 server located on the clear web.\r\nA second round of attacks by a different attacker have been analyzed by the Nocturnus team.\r\nNote: This is a very long script that downloads additional scripts and changes or adds many configurations on\r\nLinux servers. This blog has the highlights of what the script is doing to provide a fast reference guide to this\r\nattack. Some of the things that the script is doing are not documented in this blog post. The hash of the script is\r\navailable at the end of this article. It has also been uploaded to VirusTotal.\r\nTHE ATTACK\r\nThe Cybereason team has discovered Monero cryptocurrency miners installed on Linux servers running\r\nvulnerable versions of Exim: aka, cryptojacking. Cryptocurrency miners are applications that use system resources\r\nwithout the system owner’s knowledge or consent to generate profit in the form of virtual coins.\r\nThe infection chain begins with remote command execution to download a malicious script that retrieves code\r\nfrom tor2web domains and uses worm capabilities to spread to other vulnerable systems.\r\nThe attackers use the victim machine to scan the Internet for other vulnerable Exim servers. Once found, the\r\nattackers will exploit the server to get remote command execution on it and downloaded a script from a tor hidden\r\nservice through a tor2web service.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 2 of 14\n\nBash as a child process of Exim as seen in the Cybereason platform.\r\nThe script has defined three tor2web ‘translation’ services,\r\ntor2web translation services.\r\nRhost is the hidden service address excluding the .onion tor domain.\r\nTOR1, TOR2, and TOR3 are the ‘translation’ services that will be concatenated later on to create a URL. They will\r\nuse one of the ‘translation’ services in a round-robin sort of way.\r\nThe script looks for any running crypto miners like cryptonight, ddgs, Kerberods, and nicehash. If it finds any, it\r\nterminates them.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 3 of 14\n\nConfirming the HUP signal cannot be sent to it.\r\nNext, the script ensures the HUP signal cannot be sent to it. This ensures that even if the terminal is disconnected,\r\nthe script will continue to run in the background.\r\nThe attack tree as shown by the Cybereason platform.\r\nThe script generates a random string for a file name and a file created in multiple paths.  \r\nThe randomly generated string for a file name.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 4 of 14\n\nOnce the file is created, a cron job is generated to continuously download an updated version of this ‘installation’\r\nscript, save it to the randomly generated file name, and perpetually execute it.\r\nPerpetually downloading, saving, and executing the ‘installation’ script.\r\nExisting cron jobs are subsequently deleted.\r\nDeleting existing cron jobs.\r\nThe script downloads busybox’s rm, crond, and crontab implementations.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 5 of 14\n\nThe script downloading rm, crond, and crontab.\r\nOnce the cron jobs are added, the script adds an RSA SSH authentication key into the SSH server.\r\nThe SSH authentication key found in the public/private key authentication file.\r\nThe script configures the SSH server to accept root logins, RSA authentication, PAM and password authentication.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 6 of 14\n\nConfiguring the SSH server to accept root logins, RSA authentication, PAM and password authentication.\r\nAfter additional housekeeping operations like deleting temporary files, changing permissions, etc., the script\r\ndownloads another script from the same server entitled ‘main’.  \r\nNote: If SSH is not installed on your server, the script will determine which Linux distribution is installed and\r\ninstall an openssh server using the appropriate package management system (pacman, yum, apt-get, etc).\r\nThe ‘main’ Script\r\nNote: In its original form, main is Base64 encoded and must be decoded in order to analyze it.\r\nTo start, main determines the Linux distribution on the target machine by executing uname -a and storing it’s\r\noutput in local variable $ARCH. It looks for the string “alpine” in the output, and if it is present, it overwrites local\r\nvariable $Pref.\r\nOverwriting $Pref if “alpine” is in the output.\r\n$Pref is used later on to determine which kind of coinminer payload to download.\r\nThe script looks for other coin miners running in the background, or orphaned processes related to a previous\r\ninfection, and if any are found, they are terminated.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 7 of 14\n\nThe script creates a watchdog with variable $wdog0 that checks if there are any processes running and, if none are\r\nrunning, it downloads the main script, decode it and execute it with a bash process.\r\nThe script creating the watchdog.\r\nThe script has a function e() which runs an inline python script that is Base64 encoded. Once decoded and\r\nexecuted, the script downloads another Base64 blob that decoded into a python script that is a port scanner and\r\nexploiter. This scanner-exploiter generates IP addresses while skipping the private IP prefixes. It connects to\r\nvulnerable redis hosts to distribute it’s crypto miner through redis in a very similar fashion to this\r\nRedisWannaMine campaign.\r\nDownloading the Coinminer\r\nSo far, we have discussed the infrastructure work of the operation to establish the coinminer. This next part\r\nrevolves around downloading the coinminer.\r\nThe $Pref variable is used to determine which version of the coinminer the script should download.\r\nThe coinminer hidden using a nifty trick.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 8 of 14\n\nIn the script, there are Windows icon (.ico) files.\r\nThe Windows icon files.\r\n1. ${Pref}64x75.ico  - The 64-bit Payload\r\n2. ${Pref}32x75.ico - The 32-bit Payload\r\nIdentifying the value of the ${Pref} variable.\r\nThe value of ${Pref} can be a or r depending on the operating system version that’s detected by the script. The\r\nscript uses this to determine the URL of the file to be downloaded and downloads it manually.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 9 of 14\n\nDownloading the .ico file.\r\nThe downloaded file is a .ico file.\r\nIdentifying the file as a .ico file.\r\nThe file has the correct .ico file header of 00 00 01 00.\r\nThe hexdump of the .ico file.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 10 of 14\n\nThe file has an actual icon of the GitHub logo.\r\nThe icon of the .ico file.\r\nThis explains why the .ico file is detected as an .ico file. In addition, there is another file header hiding further\r\ndown in the .ico file in offset 4028.\r\nIdentifying the file as a zip file.\r\nThe file has a pkzip header, which means that this file, while pretending to be an icon file, is actually a zip file.\r\nWhen unzipping the file, it asks for a password.\r\nTrying to unzip the file and being asked for a password.\r\nThe password is in the script.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 11 of 14\n\nThe password for the zip file is located in the script.\r\nConveniently, the password is “no-password”.\r\nThe contents of the zip file.\r\nThe file’s strings reveals that this is a UPX packed file.\r\nIdentifying the file as a UPX packed file.\r\nThe file’s headers show it is a UPX packed file.\r\nUnpacking the UPX.\r\nIn unpacking the UPX, it becomes clear the file is a dynamically-linked x86-64 ELF executable that is stripped\r\nfrom symbols. The strings section reveals that this is an xmr (Monero) coin miner.\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 12 of 14\n\nThe strings section of the unpacked UPX.\r\nOnce installed on the infected system, the coin miner makes DNS queries for a newly-registered domain that uses\r\na TLD for the Soviet Union.\r\nDomain for DNS queries.\r\nConclusion\r\nIt is clear that the attackers went to great lengths to try to hide the intentions of their newly-created worm. They\r\nused hidden services on the TOR network to host their payloads and created deceiving windows icon files in an\r\nattempt to throw off researchers and even system administrators who are looking at their logs.\r\nThe prevalence of vulnerable exim servers (3,683,029 across the globe according to Shodan) allows attackers to\r\ncompromise many servers in a relatively short period of time, as well as generate a nice stream of cryptocurrency\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 13 of 14\n\nrevenue. We highly recommend following the security recommendations above to prevent any damage from\r\ntaking place.\r\nWant to understand how to improve your defense? Read how to create a closed-loop security process with MITRE\r\nATT\u0026CK.\r\nIOCs\r\nCoinminer:\r\nmd5: b7d96358d06e3bb12055d2e48c4b9796,\r\nsha1: 0e0d47bf6d025b7936e1ed1308fff1b16ee70239\r\nLdm (script):\r\nMd5: b6bb1379b8cb85e14eb71ca8c5ba8a0d\r\nSha1: 2e89482a14591ade097d252a43d9c1804462ebe6\r\nMain (script):\r\nMd5: 4cec7074f456a0ba7ccc3e5991cce0e3\r\nSha1: d0a6f47669e07d938317ba8bf6ecb8d4fbdcfe7f\r\nDomain - c2 for coinminer\r\ntimesync[.]su\r\nDomains - tor2web domains for updater script:\r\nAn7kmd2wp4xo7hpr.tor2web.su\r\nAn7kmd2wp4xo7hpr.tor2web.io\r\nan7kmd2wp4xo7hpr.onion.sh\r\nSource: https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nhttps://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability"
	],
	"report_names": [
		"new-pervasive-worm-exploiting-linux-exim-server-vulnerability"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434570,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fadcfb66383cc37809e3a948850a4696d03c69e3.pdf",
		"text": "https://archive.orkl.eu/fadcfb66383cc37809e3a948850a4696d03c69e3.txt",
		"img": "https://archive.orkl.eu/fadcfb66383cc37809e3a948850a4696d03c69e3.jpg"
	}
}