Decentralized Threat: Stealthy P2P Cryptominer Targeting Ollama Endpoints
A sophisticated attack campaign is targeting Ollama AI endpoints to deploy a custom Go-based P2P remote access Trojan (RAT) and cryptominer. The malware, named 'vc', leverages decentralized networking via libp2p to evade traditional C2 blocking and utilizes RAM disk execution and process masquerading to maintain stealth.
Authors: Larry Cashdollar
Source:
Akamai
- domaincloud-metrics[.]ioMalicious domain associated with the campaign
- sha25618a60f4122d10fc342977345cc1d494784ca55285eea37dddf90c6b9829b6d4bi.sh installer script
- sha2564159fb1305a6c45f901aa0c5b8edf7192ca9f608acce445b0dc304edc040862cvc RAT binary (UPX unpacked)
- sha256424a5d4dca5fb9506e7a15abc95d9e8b2a8c91fcf340394db86e38342afe7ab9vc RAT binary (UPX packed with fake header)
- urlhxxps://auzhpjmyaqayopaqidmc[.]supabase[.]co/storage/v1/object/public/p/i[.]shInitial payload installer script downloaded via Ollama API abuse
- urlhxxps://auzhpjmyaqayopaqidmc[.]supabase[.]co/storage/v1/object/public/p/vcCustom Go-based P2P RAT and cryptominer dropper payload
Detection / HunterGoogle
What Happened
Attackers are exploiting exposed Ollama AI systems to install a hidden cryptocurrency miner and remote access tool. The malicious software runs entirely in the system's memory and disguises itself as a normal background process to avoid detection. This allows the attackers to steal computing power and maintain control over the infected machine without relying on a central server. System administrators should secure their AI endpoints, monitor for unusual outbound network traffic, and check for hidden scheduled tasks.
Key Takeaways
- Attackers are targeting Ollama AI endpoints via the /api/create API to achieve remote code execution.
- The payload is a custom Go-based P2P RAT and cryptominer dropper named 'vc'.
- The malware uses a decentralized libp2p stack to evade traditional C2 blocking.
- It heavily utilizes RAM disk (/dev/shm/) for file execution to evade filesystem scanning.
- Persistence is achieved via crontab entries masquerading as legitimate 'kworker' processes.
Affected Systems
- Ollama endpoints
- Linux OS
Attack Chain
The attack initiates via API requests to the Ollama /api/create endpoint, instructing the AI to download and execute a shell script (i.sh). This script downloads a custom Go-based binary (vc) directly into the RAM disk (/dev/shm/) to evade filesystem detection. The vc binary establishes a decentralized P2P network using libp2p, drops a P2P proxy and an XMRig miner, and renames its processes to masquerade as legitimate kworker threads. Finally, it establishes persistence by adding a crontab entry that continuously checks and relaunches the malicious process.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but offers behavioral indicators, file paths, and IOCs for hunting.
Detection Engineering Assessment
EDR Visibility: Medium — EDRs can detect process masquerading (e.g., kworker running from /dev/shm) and crontab modifications, but the malware's use of RAM disk and fake UPX headers may evade some static file scanning. Network Visibility: Medium — The decentralized P2P nature (libp2p) makes traditional IP/domain blocking difficult, requiring deep packet inspection or behavioral analysis of outbound QUIC and WebSocket traffic. Detection Difficulty: Moderate — While the P2P C2 is hard to block, the execution from /dev/shm/ and the masquerading as kworker are highly anomalous and relatively easy to hunt for.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- File Creation (Sysmon 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes executing from the /dev/shm/ directory, particularly those named kworker-main or kworker-run. | Process execution logs (e.g., auditd, Sysmon for Linux Event ID 1) | Execution | Low |
| Evaluate whether unusual outbound QUIC (UDP 443) or WebSocket traffic is originating from unexpected processes, which may indicate P2P C2 communication. | Network flow logs, EDR network events | Command and Control | Medium |
| Consider hunting for crontab modifications that reference files in /dev/shm/ or attempt to restart kworker processes. | File modification logs (e.g., auditd monitoring /var/spool/cron) | Persistence | Low |
Control Gaps
- Traditional static AV scanning (due to RAM disk execution and fake UPX headers)
- Domain/IP-based C2 blocking (due to decentralized P2P network)
Key Behavioral Indicators
- Execution from /dev/shm/
- Process named kworker running from user space or unusual paths
- Ollama process spawning shell scripts or curl/wget commands
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- If your EDR supports host isolation, consider isolating any Ollama endpoints exhibiting anomalous behavior or communicating over unexpected P2P protocols.
- Evaluate whether to perform a memory dump on suspected compromised machines to recover P2P peer lists and crypto keys before remediation.
- Consider checking systemctl units, crontabs, and .bashrc files for unauthorized persistence mechanisms related to 'kworker'.
Infrastructure Hardening
- Evaluate whether outbound QUIC (UDP 443) and unexpected WebSocket traffic can be restricted or heavily monitored from AI endpoints.
- Consider implementing network segmentation to isolate Ollama API endpoints from the broader corporate network.
- If applicable, restrict access to the Ollama /api/create endpoint to authorized internal IP addresses only.
User Protection
- Consider configuring EDR solutions to alert on or block execution from RAM disk locations like /dev/shm/ where supported.
Security Awareness
- Consider incorporating the risks of exposed AI APIs and supply chain vulnerabilities into technical training for DevOps and AI engineering teams.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1105 - Ingress Tool Transfer
- T1053.003 - Scheduled Task/Job: Cron
- T1036.004 - Masquerading: Masquerade Task or Service
- T1090.002 - Proxy: External Proxy
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1496 - Resource Hijacking
Additional IOCs
- File Hashes:
4159fb1305a6c45f901aa0c5b8edf7192ca9f608acce445b0dc304edc040862c(SHA256) - vc RAT binary (UPX unpacked)
- File Paths:
/dev/shm/.sys-update- RAM disk location for initial vc download/dev/shm/.udev-mesh-node- Copied location of the vc malware for persistence/dev/shm/kworker-main- Dropped P2P networking proxy binary/dev/shm/kworker-run- Dropped XMRig Monero miner binary
- Command Lines:
- Purpose: Crontab persistence mechanism to check and relaunch the malware | Tools:
crontab,pgrep| Stage: Persistence |*/15 * * * * pgrep -x kworker-run || /dev/shm/.udev-mesh-node
- Purpose: Crontab persistence mechanism to check and relaunch the malware | Tools:
- Other:
12D3KooWGfRjvTvgfV4eXnFWLV26GG7TciWX7ycBiGPnA7ubVmbG- C2 P2P key / libp2p peer ID42qxWtESb9t1jvteBGCJybRiHB2x6fiMmhmosjUxfDsFUMLtJgYheVUaac2dvHrDfwcogpQFbTz4h2GXkB1rxonqUJQnUyz- Monero wallet address used by the XMRig miner