From the information you provided in your initial email, it sounds like the malware you encountered is described in-depth here:
That blog post provides a lot of insight into what the malware they analyzed did, which will hopefully provide you with a way to better understand what the malware may have done on your machines. It's difficult to know for sure, though, since the one you encountered may have had differences to the one described. Your best bet to remediate is to just restore the server from known-good backups, if possible.
- Used Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
- Used variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
- Scanned for and attempted to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
- Used malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
As you can tell, there's a lot of overlap between all of these, and it's not uncommon for one actor to take the scripts and binaries used by another and start using them (with slight modifications to use different C2, mine to a different wallet, etc.)
Since there's so much overlap between tools and techniques, it's difficult to say for sure, but at first glance the infrastructure described in the Anomali blog post appears related to that of the malware described by these two articles as well:
-Andrew
Andrew Williams
Malware Research Engineer
Cisco Talos