CryptoMiners Landscape in LATAM

CryptoMiners in LATAM

Since the emergence of Bitcoin in 2009, cryptocurrency mining has become a lucrative activity in the contemporary digital landscape. It offers investment opportunities and wealth creation on an unprecedented scale, fostering the use of dedicated tools known as CryptoMiners.

A CryptoMiner, also known as a coinminer, is a software used to mine cryptocurrencies taking advantage of the capabilities of the device on which they are mining.

This document aims to provide an overview of CryptoMiners in Latin America due to continued attacks. Since the beginning of 2023, the region has been affected by threat actors and cybercriminal groups such as 8220 Gang and Red BerryMiner, profiled by SCILabs in late 2023, which carry out cryptojacking attacks (also called malicious cryptocurrency mining), affecting organizations of all types in the industrial, services and telecommunications sectors, to mention a few.

How could a cryptominer attack affect organizations?

Cryptojacking attacks not only puts the security of corporate and personal information at risk but also significantly impacts the performance and lifespan of affected IT assets. Threat groups operating crypto-mining malware often exploit vulnerabilities in technology commonly used by all organizations, aiming to distribute cryptominers and integrate victim devices into Botnet networks such as Mirai or Tsunami. This can cause severe consequences on an organization’s infrastructure. Mirai, known for its DDoS attacks, can cause massive disruptions to services and systems. Additionally, this attack can be an initial access vector for more dangerous attacks such as ransomware, damaging reputation and causing financial losses to organizations.

Characteristics of cryptominer attacks

Although carrying out cryptomining activities is not inherently malicious, threat actors use malicious techniques to mine cryptocurrencies on other people’s devices and exploit their resources illicitly with a financial motivation. This activity is known as cryptojacking and converts to cryptoMiners in a threat.

Currently, there are three types of cryptojacking:

  • In-Browser hijacking
  • In-Host hijacking
  • In-Memory hijacking

In-browser cryptojacking

This technique has been used since 2011 when the cryptomining trend began, and Bitcoin became popular; it resurged in 2017 with the appearance of CoinHive, one of that year’s most maliciously used legal crypto mining services.

This type of attack does not require user permissions and usually maintains persistence by hiding the browser windows that perform the mining.

The exploitation of the stolen resources, in this case, is carried out through a cryptomining script, generally written in JavaScript, which may be embedded in a site or web application, in malicious ads, on websites that allow the execution of third-party services for tracking tools or analytics services, in web extensions that can perform mining and through Man-in-the-Middle activities since, once the victim’s web traffic has been captured, it is possible to inject the cryptomining script within non-HTTPS traffic.

Although it is currently not one of the most common techniques for performing cryptojacking, it is still used to a lesser extent.


Figure 1. In-browser cryptojacking operating flow

In-host cryptojacking

In this technique, threat actors use cryptominers to access the host’s resources, turning the infected device into a computer dedicated to mining cryptocurrencies without the victim’s knowledge.

Unlike the previous technique, a cryptominer must be installed on the host system. Hence, its delivery and installation method is through social engineering, vulnerability exploitation, or Drive-by-Download.

The first to act during a cryptojacking in-host infection is an external tool or intermediary malware, such as a script, a dropper, a worm, or a trojan that upon entering the system, is in charge and initiates the attack flow and whose tasks may include:

  • Starts the download, decryption, or unpacking of the crypto miner.
  • Prepares the victim equipment for mining. This implies recognizing the environment and equipment characteristics, mainly the processing power.
  • Performs the elevation of privileges or administration of permissions necessary for executing the cryptominer.
  • Eliminates tools and processes that may generate conflicts.
  • Searches for and removes security software.
  • Establishes persistence for the crypto miner.
  • Configures and optimizes the processor for cryptoming activities.
  • Runs the cryptominer (possibly in the background).
  • Possibly establishes a communication channel with C2.
  • Compromises other computers on the network.

Once the cryptominer is up and running, it initiates a connection to the threat actor’s mining pool using a web socket or an API. Through this pool, the cryptominer receives the operations needed to calculate a hash, and send its results back, which is why the cryptominer must be in constant communication with it. This feature can be handy in identifying if a device is compromised.

Figure 2. In-host cryptojacking operating flow

In-memory cryptojacking

This type of cryptojacking typically employs the same initial infection vector as In-host cryptojacking and delivers the payload through the same means. However, unlike In-host cryptojacking, the files are not maintained for the cryptominer’s execution. Instead, a fileless technique is used to avoid leaving evidence in the system making the cryptominer more challenging to detect and eliminate.

Once the operators successfully breach the victim’s computer, whether through vulnerability exploitation or intermediary malware, they inject the payload into a process that goes unnoticed by the user, such as a PowerShell process. This meticulous process, often involving the preparation of the equipment for mining, creation of persistence, downloading and execution of the necessary components for lateral movement and mining, and finally, the downloading and injection of the cryptominer into a process, demonstrates their advanced technical skills. The connection with the mining pool is then initiated, and the threat actor is contacted through a C2 channel.

Figure 3. In-memory cryptojacking operating flow

Current landscape

Based on SCILabs telemetry, cryptojacking attacks are carried out by multiple threat actors, even by inexperienced operators or without extensive technical capabilities. However, two threat groups, Red BerryMiner and 8220 Gang, are of interest because, in addition to installing crypto miners, they deploy other types of malware, such as Botnets and even ransomware, as in the case of 8220 Gang.

In this post, we will not provide a detailed investigation of these threat groups, as SCILabs has already published information about them, and there are various public investigations where additional information can be found. We intend to provide information that raises awareness about the danger these types of threats can represent.

Main countries and sectors affected by cryptojacking attack

As cybersecurity professionals, IT administrators, and business leaders in Latin America, you must be aware of the potential impact of cryptojacking attacks on the main countries and sectors. Our telemetry shows that Mexico, Brazil, Argentina, Ecuador, Venezuela, Colombia, Peru, Bolivia, Chile, Paraguay, and the industrial, services, and telecommunications sectors, are particularly vulnerable.

Figure 4. Cryptojacking activity in LATAM

Threat groups related to cryptojacking attacks.

As mentioned in this publication, according to SCILabs telemetry we will only provide a general context of the principal threat groups that affect Latin America.

8220 Gang

The 8220 Gang is a long-standing threat group that exploits vulnerabilities in cloud servers to initiate an infection process in the network of victim organizations. The group then uses the infected devices for cryptocurrency mining activities. This threat group has been operating since 2017: a testament to its persistence and the seriousness of the threat it poses.

This group of threats can maintain command and control communication on the victim’s servers, which allows it to download any artifacts, such as ransomware threats, specifically campaigns related to the GranCrab ransomware family have been observed.

Among the principal vulnerabilities that this group of threats uses are the following:

# Tecnology Vulnerability Description
1 Jboss CVE-2017-12149 (CVSS:3.0 – 9.8 CRÍTICO) The doFilter method in the HTTP Invoker’s ReadOnlyAccessFilter does not restrict the classes for which it performs deserialization, and therefore allows an attacker to execute arbitrary code via crafted serialized data.
2 Oracle WebLogic CVE-2017-10271 (CVSS:3.0 – 7.5 ALTA Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). The supported versions that are affected are,,, and Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server.
3 Apache CouchDB CVE-2017-12635 (CVSS:3.0 – 9.8 CRÍTICO) Due to differences in the Erlang-based JSON parser and the JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to send _users documents with duplicate keys for ‘roles’ used for access control within the database, including the special case role ‘_admin’, which denotes administrative users.
4 Apache CouchDB CVE-2017-12636 (CVSS:3.0 – 7.2 ALTA) CouchDB administrative users can configure the database server over HTTP(S). Some of the configuration options include paths for operating system-level binaries that CouchDB later launches. This allows an administrator user on Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and running scripts from the public Internet.
5 Drupal CVE-2018-7600 (CVSS:3.0 – 9.8 CRÍTICO) Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code due to an issue affecting multiple subsystems with configurations of common or default modules.
6 Apache Struts CVE-2017-5638 (CVSS:3.0 – 10.0 CRÍTICO) The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and generation of error messages during file upload attempts, which allows attackers to Remotes execute arbitrary commands through manipulated content. -Type, Content-Disposition, or Content-Length HTTP header, as exploited in March 2017 with a Content-Type header containing a #cmd= string.
7 Sonatype Nexus CVE-2019-7238 (CVSS:3.0 – 9.8 CRÍTICO) Sonatype Nexus Repository Manager previous to 3.15.0 has an incorrect control Access.
8 Atlassian Confluence CVE-2019-3396 (CVSS:3.0 – 9.8 CRÍTICO) The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the version fixed for 6.6.x), since version 6.7.0 before 6.12.3 (the version fixed for 6.12.x), since version 6.13.0 before 6.13. 3 (the fixed version for 6.13.x), and since 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution in a Confluence Server or Data Center instance via server-side template injection.
9 Atlassian Confluence CVE-2022-26134 (CVSS:3.0 – 9.8 CRÍTICO) In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15. 2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4 and from 7.18.0 before 7.18.1.
10 Redis CVE-2022-0543 (CVSS:3.0 – 10.0 CRÍTICO) Redis, a persistent key-value database, was found due to a packaging issue, to be prone to a Lua sandbox escape (Debian-specific), which could result in remote code execution.

Additionally, the threat group mainly uses the following tools:

Red BerryMiner

Red BerryMiner is a threat group that exploits vulnerabilities in servers exposed on different organizations’ Internet to initiate a malware infection process and use the infected devices for crypto mining activities. It shares infrastructure with the Mirai Botnet, and in its infection chain it installs the ShellBot malware families, also known as PerlBot, and predominantly, the XMRig cryptominer.

The following are some of the following vulnerabilities that this group uses:


# Tecnology Vulnerability Description
1 Avaya Aura Device Services CVE-2023-3722 (CVSS:3.0 – 9.8 CRÍTICO) Operating system command injection vulnerability in the Avaya Aura Device Services web application could allow remote code execution as a user of the web server via a malicious uploaded file. This issue affects Avaya Aura Device Services version and earlier.
2 ThinkPHP CVE-2018-20062 (CVSS:3.0 – 9.8 CRÍTICO)


Allows remote attackers to execute arbitrary PHP code, via crafted use of the filter parameter.
3 Spring Shell CVE-2022-22965 (CVSS:3.0 – 9.8 CRÍTICO) A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general and there may be other ways to exploit it.

Additionally, the threat group mainly uses the following tools:

Main CryptoMiner families observed in the Latin American region by SCILabs

The findings are based on a comprehensive analysis of our telemetry data and various reliable public sources, providing a clear picture of LATAM’s most prevalent cryptominer families.


XMRig is an open-source software designed for cryptocurrency mining, which makes it one of the most used tools as a cryptominer in cryptojacking attacks; this is possibly related to the versatility that allows operators to modify it when it is open-source. It is one of the most used to mine Monero, a cryptocurrency known for having untraceable transactions. The main features of this software are:

  • Greater versatility for its distribution as it does not require additional tools to function.
  • Due to the open sources, there are more variants of it.
  • Multiplatform versatility (Windows, Linux, macOS and FreeBSD).
  • Donates 5 percent of the revenue earned from mined coins to the wallet address of the code author, and once modified, it is passed on to the malware operators.


PwnRig, an XMRig-based CryptoMiner. In addition to those already mentioned for XMRig, other features are:

  • It hides its configuration details.
  • It uses a mining proxy.


It is a CryptoMiner with multiple variants used to mine Monero, which SCILabs observe on Linux servers. Its main features are:

  • It is written in the Go programming language.
  • Uses Google Sites to host web pages for distribution.
  • As initial access, its operators carry out brute force attacks on SSH services exposed on the Internet, loading WebShells on vulnerable servers and exploiting the vulnerabilities:
  • Runs as a background process.
  • Ability to self-delete.
  • Temporary persistence (they are invalidated if the infected computer is restarted) through tasks scheduled with Cron Jobs.
  • It is installed in the /etc directory using random names (without any identified pattern), for example, /etc/2arw4t2w84ig4w9.00991.
  • Ability to install XMRig.

Attack Flow Commonly Observed in CryptoMiners Attacks

Figure 5. Typical flow of a Cryptojacking attack

Most common TTP observed in cryptojacking attacks aligned to the MITER ATT&CK®


Cryptojacking attacks, often underestimated, can have devastating consequences; as detailed in this publication, threat groups like 8220 Gang can exploit their access to an organization’s infrastructure to deploy ransomware. Similarly, cybercriminals such as Red BerryMiner can introduce additional malware like the Mirai Botnet and ShellBot while leveraging ‘living-off-the-land’ techniques to download more malicious artifacts and install backdoors and Reverse Shells.

This represents a critical risk for organizations because they may be exposed to data breaches, theft of all types of information, and impact from ransomware, affecting their reputation and causing economic losses. SCILabs considers that attacks with crypto miners will remain constant throughout the year, taking advantage of new vulnerabilities that provide access to infrastructure, which are increasingly affecting LATAM countries.

Given these circumstances, SCILabs considers it is essential that organizations are aware of the TTP (Techniques, Tactics, and Procedures) used by the operators of this type of malware and consider them in their security posture to reduce the risk of suffering from cryptojacking attacks.


  • Avoid downloading and installing software from unofficial sites.
  • In the case of emails, avoid infection through phishing emails:
    • Verify the legitimacy of the sender of the emails received.
    • Verify that the sender is consistent with the content of the email.
    • Avoid opening suspicious links.
    • Avoid opening or downloading suspicious files.
  • Install ad blockers in your browser to block unwanted pop-ups, ADS, and banner ads on websites.
  • Disable JavaScript in the browser to avoid loading malicious scripts.
  • Monitor system status and performance on the organization’s endpoints and servers.
  • Conduct hunting activities searching for unknown or suspicious processes, such as PowerShell processes, that consume large amounts of resources and are not started by any application used by the user or the organization.
  • Detect and block unusual traffic within the network that may generate multiple requests, as these may be directed to mining pool addresses or related to cryptocurrencies.
  • Carry out hunting activities in search of threats that have infected or are operating on the organization’s devices, such as Trojans, worms, bots, stealers, etc. This intermediary malware usually accompanies cryptominers.
  • Carry out hunting activities to find elements that generate persistence, mainly in scheduled tasks or registry keys.
  • If possible, use security tools with anomaly detection algorithms to detect patterns associated with cryptojacking attacks, such as decreased processing speed.
  • Periodically perform offline backups of information considered critical or essential for the operation and continuity of the business.
  • Keep all the organization’s computer equipment updated to the latest version of the operating system.
  • Maintain all current applications using the most stable versions based on manufacturers’ recommendations.
  • Apply critical patches to the systems or, failing that, implement a shielding system at the hypervisor level that allows the implementation of virtual patches that immediately mitigate the vulnerability without incurring the risk of altering or directly damaging the operating system and impacting the operation.
  • Implement an application firewall (WAF) or if they already have one, evaluate its configuration according to the manufacturer’s best practices and apply them in the short term.
  • Integrate security policies at all organizational levels that consider using EDR systems with high research capabilities, always keeping them updated and correctly configured under the best practices issued by manufacturers.
  • Create stronger password policies and apply the principle of least privilege for all users within the organization. Consider disabling “admin” or “root” users and creating custom and limited roles for different types of system administrators according to their specific functions.