Anyone using VMware Workspace ONE Access? Check if you use a patched version (CVE-2022-22954). Otherwise, maybe you mine Monero for someone.
Researchers at cybersecurity company Fortinet noticed in the newest campaigns that the threat actors deployed the Mira botnet for distributed denial-of-service (DDoS) attacks, the GuardMiner cryptocurrency miner, and the RAR1Ransom tool.
One interesting case is a pair of Bash and PowerShell scripts targeting Linux and Windows systems. The scripts fetch a list of files to launch on the compromised machine.
The PowerShell script ("init.ps1") downloads the following files from a Cloudflare IPFS gateway:
phpupdate.exe:
Xmrig Monero mining software
config.json: Configuration file for mining pools
networkmanager.exe: Executable used to scan and spread infection
phpguard.exe: Executable used for guardian Xmrig miner to keep running
clean.bat: Script file to remove other cryptominers on the compromised host
More details:
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-flaw-to-drop-ransomware-miners/