Table of Contents
Researchers warned of an active Linux Cryptojacking campaign targeting Linux-based machines with weak SSH credentials to deploy Monero mining malware. Let’s see how the group has carried out this campaign.
This time attacker has targeted weak credentials, which is prevalent even today. Forget about the weak credentials; It is sad to say that still many devices are living with default credentials on the internet. This gives attackers a chance to do everything they want. The story of this Linux cryptojacking campaign is something related to the week credentials set on Linux-based machines on the internet.
Anyways, targeting weak SSH credentials is not the first time. Threat actors can easily break the security of the weak credentials by bruit-forcing on the victim if they are not detected soon. However, that is not the case with brute force attacks. Bruit force can easily be detected and protected. So, the actors behind this campaign have used a trick that lets them do it in a way that lets attackers go undetected.
Who Is Behind This Linux Cryptojacking Campaign?
Researchers will always identify the threat actor’s origin from the tools, code, language, and method they use in their campaign. Researchers have belied the hands behind the attacks are from Romania. Because the interface of the tool attackers used in this campaign is written in both Romanian and English.
How An Attacker Group Carried Out Linux Cryptojacking Campaign?
The campaign starts with scanning for the Linux-based machines on the internet, which have weak credentials. Attackers will deploy these archives on their server: jack.tar.gz, juanito.tar.gz, scn.tar.gz, and skamelot.tar.gz, which can be used to crack the Linux machines which have weak SSH credentials. These tools can identify valid credentials, log in to the servers, and deliver the payload on the victim servers via port scanning, banner grabbing, brute forcing, techniques.
Upon login to the Linux machine with inadequate SSH credentials, attackers will deploy and run loader programs. The loaders then gather system information and send that to the attackers through an HTTP POST to a Discord Webhook. Discord will help threat actors to avoid using their own command and control servers which helps them work under the radar. Please read more about the Discord channel here. It is necessary to know about Discord as it is becoming popular in malware distribution because of its functionality.
Loaders do not just exfiltrate the system information, they also help threat actors to create persistence by dropping some scripts, creating a user and adding it to the sudo group, adding an SSH key to authorized_keys, and creating a ‘systemd’ service called ‘myservice’ which runs the /usr/bin/sshd script
Attackers use the information shared by the loaders to select the toolset, create custom payloads, and create a post-exploitation strategy. At last, attackers want to convert the machine into a crypto mining resource by embedding the configurations of a legitimate miner pool with currency valets.
What Tool Is Used To Carry Out Linux Cryptojacking Campaign?
The tool is dubbed as “Diicot bruter” which operates as SaaS (Software as a Service) model, which works on a user’s API key. An API key will be given to a user that they need to supply to the tool as a command-line argument. The tool uses the API key to retrieve the user’s configurations, which includes the user’s Discord ID, a Discord webhook (where the tool’s output is POSTed), and a version number. Click here to read the full information about the tool.
How To Be Protected From The Linux Cryptojacking Campaign?
As this campaign targets weak credentials, we recommend following all the secure password guidelines and use password alternatives if possible:
Use strong passwords.
Enable key-based authentication.
Secure the network using MAC and IP address filters.
Monitor services and system resources.
Use anti-malware programs.
Monitor the IOCs and block them on the firewalls.
Rebuild the machine from a clean backup if you see your machine is compromised.
Indicators Of Compromise:
Samples:
| sha256 | type | name | purpose |
| d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941e | ELF | .93joshua | loader |
| ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33 | ELF | .zte_error | miner |
| ef335e12519f17c550bba98be2897d8e700deffdf044e1de5f8c72476c374526 | ELF | .k4m3l0t | miner |
| 9de853e88ba363b124dfce61bc766f8f42c84340c7bd2f4195808434f4ed81e3 | ELF | .black | loader |
| eb0f3d25e1023a408f2d1f5a05bf236a00e8602a84f01e9f9f88ff51f04c8c94 | ELF | .purrple | loader |
| dcc52c4446adba5a61e172b973bca48a45a725a1b21a98dafdf18223ec8eb8b9 | ELF | .report_system | miner |
| 99531a7c39e3ea9529f5f43234ca5b23cb7bb82ee54f04eff631f5ca9153e6d4 | ELF | go | scanner |
| 74a425bcb5eb76851279b420c8da5f57a1f0a99a11770182c356ba3160344846 | ELF | go | scanner |
| 9f691e132f5a2c9468f58aeac9b7aa5df894d1ad54949f87364d1df2bf005414 | script | go | scanner |
| f53241f60a59ba20d29fab8c973a5b4c05c24865ae033fffb7cdfa799f0ad25d | ELF | r | scanner |
| 275ef26528f36f1af516b0847d90534693d4419db369027b981f77d79f07d357 | script | dabrute | scanner |
| 8beccb10b004308cadad7fa86d6f2ff47c92c95fc557bf05188c283df6942c13 | ELF | brute | scanner |
| f9ed735b2b8f89f9d8edfc6a8d11a4ee903e153777b33d214c245a02636d7745 | ELF | brute | scanner |
| 23cf4c34f151c622a5818ade68286999ae4db7364b5d9ed7b8ed035c58116179 | script | sky | IRC bot |
| 8dfdbc66ac4a38766ca1cb45f9b50e0f7f91784ad9b6227471469ae5793f6584 | script | find.sh | scanner |
| f1d4e2d8f63c3b68d56c668aafbf1c82d045814d457c9c83b37115b61c535baa | archive | jack.tar.gz | |
| 3078662f56861c98f96f8bc8647ffa70522dbc22cbd7ba91b9c80bc667d2a3a9 | archive | juanito.tar.gz | |
| 2a8298047add78360dc3e6d5ac4a38ddb7a67deebc769b1201895afe39b8c0e1 | archive | kamelot.tar.gz | |
| 7bfb35caf3f8760868c2985c4ccf749b14deab63ac6effd653871094fed0d5e5 | archive | satan.db | |
| f6e92eff8887ee28eb56602a3588a3d39ca24a35d9f88fe2551d87dc6ced8913 | archive | scn.tar.gz | |
| 8bf108ab897a480c44d56088662e592c088939eeb86cccaac6145de35eb3a024 | script | sefu | |
| 31a88ff5c0888bcbbbd02c1c18108c884ff02fd93a476e738d22b627e24601c0 | archive | skamelot.tar.gz | |
| e89b40a6e781ad80d688d1aa4677151805872b50a08aaf8aa64291456e4d476d | archive | PhoenixMiner.tar | |
| 2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251 | ELF | banner | scanner |
| 8970d74d96558b280567acdf147bfe289c431d91a150797aa5e3a8e8d52fb27d | archive | ethminer.tar | |
| 9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2 | ELF | masscan | scanner |
| 1275e604a90acc2a0d698dde5e972ff30d4c506eae526c38c5c6aaa6a113f164 | script | setup | |
| 977dc6987a12c27878aef5615d2d417b2b518dc2d50d21300bfe1b700071d90e | script | install | |
| ccda60378a7f3232067e2d7cd0efe132e7a3f7c6a299e64ceba319c1f93a9aa2 | ELF | brute | scanner |
Paths:
/usr/bin/.locationesclipiciu
/var/tmp/.ladyg0g0/.pr1nc35
/usr/.SQL-Unix/.SQL/.db
/var/tmp/.SQL-Unix/.SQL/.db
/usr/bin/.pidsclip
Network indicators:
Mexalz[.]us
area17[.]mexalz[.]us
45[.]32[.]112[.]68
207[.]148[.]118[.]221
requests[.]arhive[.]online
cdn[.]arhive[.]online
The way of leaving with default or weak credentials will keep motivating the adversaries to do all malicious things. The first step to stop the cyberattacks is to change the default credentials. Next, keep an eye on what’s going on your devices.
Thanks for reading this post. Please share this post and help to secure the digital world.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
