Introduction On a recent incident response case, a customer contacted us regarding their EDR detecting a crypto miner on a Linux endpoint. The identified malicious file, named 41hs1z, is accessible on VirusTotal. The folders and paths associated with each execution of the crypto miner may differ; however, here are some paths we encountered: /backup/files/excel/41hs1z /backup/files/xml/dotnet115/BeID/41hs1z /backup/files/xml/dotnet115/layouts/defaults/41hs1z Upon analysis, we discovered that t...
