• Home
  • |
  • Blog
  • |
  • How A Threat Group Carried Out Linux Cryptojacking Campaign From Romania?
Linux Cryptojacking campaign

Researchers warned of an active Linux Cryptojacking campaign targeting Linux-based machines with weak SSH credentials to deploy Monero mining malware. Let’s see how the group has carried out this campaign.

This time attacker has targeted weak credentials, which is prevalent even today. Forget about the weak credentials; It is sad to say that still many devices are living with default credentials on the internet. This gives attackers a chance to do everything they want. The story of this Linux cryptojacking campaign is something related to the week credentials set on Linux-based machines on the internet.

Anyways, targeting weak SSH credentials is not the first time. Threat actors can easily break the security of the weak credentials by bruit-forcing on the victim if they are not detected soon. However, that is not the case with brute force attacks. Bruit force can easily be detected and protected. So, the actors behind this campaign have used a trick that lets them do it in a way that lets attackers go undetected.

Who Is Behind This Linux Cryptojacking Campaign?

Researchers will always identify the threat actor’s origin from the tools, code, language, and method they use in their campaign. Researchers have belied the hands behind the attacks are from Romania. Because the interface of the tool attackers used in this campaign is written in both Romanian and English.  

How An Attacker Group Carried Out Linux Cryptojacking Campaign?

  1. The campaign starts with scanning for the Linux-based machines on the internet, which have weak credentials. Attackers will deploy these archives on their server: jack.tar.gz, juanito.tar.gz, scn.tar.gz, and skamelot.tar.gz, which can be used to crack the Linux machines which have weak SSH credentials. These tools can identify valid credentials, log in to the servers, and deliver the payload on the victim servers via port scanning, banner grabbing, brute forcing, techniques.
  2. Upon login to the Linux machine with inadequate SSH credentials, attackers will deploy and run loader programs. The loaders then gather system information and send that to the attackers through an HTTP POST to a Discord Webhook. Discord will help threat actors to avoid using their own command and control servers which helps them work under the radar. Please read more about the Discord channel here. It is necessary to know about Discord as it is becoming popular in malware distribution because of its functionality.
  3. Loaders do not just exfiltrate the system information, they also help threat actors to create persistence by dropping some scripts, creating a user and adding it to the sudo group, adding an SSH key to authorized_keys, and creating a ‘systemd’ service called ‘myservice’ which runs the /usr/bin/sshd script
  4. Attackers use the information shared by the loaders to select the toolset, create custom payloads, and create a post-exploitation strategy. At last, attackers want to convert the machine into a crypto mining resource by embedding the configurations of a legitimate miner pool with currency valets.

What Tool Is Used To Carry Out Linux Cryptojacking Campaign?

The tool is dubbed as “Diicot bruter” which operates as SaaS (Software as a Service) model, which works on a user’s API key. An API key will be given to a user that they need to supply to the tool as a command-line argument. The tool uses the API key to retrieve the user’s configurations, which includes the user’s Discord ID, a Discord webhook (where the tool’s output is POSTed), and a version number. Click here to read the full information about the tool.

How To Be Protected From The Linux Cryptojacking Campaign?

As this campaign targets weak credentials, we recommend following all the secure password guidelines and use password alternatives if possible:

  1. Use strong passwords.
  2. Enable key-based authentication.
  3. Secure the network using MAC and IP address filters.
  4. Monitor services and system resources.
  5. Use anti-malware programs.
  6. Monitor the IOCs and block them on the firewalls.
  7. Rebuild the machine from a clean backup if you see your machine is compromised.

Indicators Of Compromise:

Samples:

sha256typenamepurpose
d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941eELF.93joshualoader
ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33ELF.zte_errorminer
ef335e12519f17c550bba98be2897d8e700deffdf044e1de5f8c72476c374526ELF.k4m3l0tminer
9de853e88ba363b124dfce61bc766f8f42c84340c7bd2f4195808434f4ed81e3ELF.blackloader
eb0f3d25e1023a408f2d1f5a05bf236a00e8602a84f01e9f9f88ff51f04c8c94ELF.purrpleloader
dcc52c4446adba5a61e172b973bca48a45a725a1b21a98dafdf18223ec8eb8b9ELF.report_systemminer
99531a7c39e3ea9529f5f43234ca5b23cb7bb82ee54f04eff631f5ca9153e6d4ELFgoscanner
74a425bcb5eb76851279b420c8da5f57a1f0a99a11770182c356ba3160344846ELFgoscanner
9f691e132f5a2c9468f58aeac9b7aa5df894d1ad54949f87364d1df2bf005414scriptgoscanner
f53241f60a59ba20d29fab8c973a5b4c05c24865ae033fffb7cdfa799f0ad25dELFrscanner
275ef26528f36f1af516b0847d90534693d4419db369027b981f77d79f07d357scriptdabrutescanner
8beccb10b004308cadad7fa86d6f2ff47c92c95fc557bf05188c283df6942c13ELFbrutescanner
f9ed735b2b8f89f9d8edfc6a8d11a4ee903e153777b33d214c245a02636d7745ELFbrutescanner
23cf4c34f151c622a5818ade68286999ae4db7364b5d9ed7b8ed035c58116179scriptskyIRC bot
8dfdbc66ac4a38766ca1cb45f9b50e0f7f91784ad9b6227471469ae5793f6584scriptfind.shscanner
f1d4e2d8f63c3b68d56c668aafbf1c82d045814d457c9c83b37115b61c535baaarchivejack.tar.gz
3078662f56861c98f96f8bc8647ffa70522dbc22cbd7ba91b9c80bc667d2a3a9archivejuanito.tar.gz
2a8298047add78360dc3e6d5ac4a38ddb7a67deebc769b1201895afe39b8c0e1archivekamelot.tar.gz
7bfb35caf3f8760868c2985c4ccf749b14deab63ac6effd653871094fed0d5e5archivesatan.db
f6e92eff8887ee28eb56602a3588a3d39ca24a35d9f88fe2551d87dc6ced8913archivescn.tar.gz
8bf108ab897a480c44d56088662e592c088939eeb86cccaac6145de35eb3a024scriptsefu
31a88ff5c0888bcbbbd02c1c18108c884ff02fd93a476e738d22b627e24601c0archiveskamelot.tar.gz
e89b40a6e781ad80d688d1aa4677151805872b50a08aaf8aa64291456e4d476darchivePhoenixMiner.tar
2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251ELFbannerscanner
8970d74d96558b280567acdf147bfe289c431d91a150797aa5e3a8e8d52fb27darchiveethminer.tar
9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2ELFmasscanscanner
1275e604a90acc2a0d698dde5e972ff30d4c506eae526c38c5c6aaa6a113f164scriptsetup
977dc6987a12c27878aef5615d2d417b2b518dc2d50d21300bfe1b700071d90escriptinstall
ccda60378a7f3232067e2d7cd0efe132e7a3f7c6a299e64ceba319c1f93a9aa2ELFbrutescanner

Paths:

  • /usr/bin/.locationesclipiciu
  • /var/tmp/.ladyg0g0/.pr1nc35
  • /usr/.SQL-Unix/.SQL/.db
  • /var/tmp/.SQL-Unix/.SQL/.db
  • /usr/bin/.pidsclip

Network indicators:

  • Mexalz[.]us
  • area17[.]mexalz[.]us
  • 45[.]32[.]112[.]68
  • 207[.]148[.]118[.]221
  • requests[.]arhive[.]online
  • cdn[.]arhive[.]online

The way of leaving with default or weak credentials will keep motivating the adversaries to do all malicious things. The first step to stop the cyberattacks is to change the default credentials. Next, keep an eye on what’s going on your devices.

Thanks for reading this post. Please share this post and help to secure the digital world.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.