Internet-connected Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign aimed at illicit cryptocurrency mining.
Rotem Sde-Or, a threat intelligence researcher at Microsoft, said, “The attackers behind the attacks used backdoors to introduce a wide range of tools and components, such as rootkits and IRC bots, to perform mining operations. It’s stealing device resources.”
“This backdoor also installs a patched version of OpenSSH on affected devices, allowing attackers to hijack SSH credentials, move laterally within the network, and use malicious SSH You will be able to hide your connection.”
To carry out this plan, a misconfigured Linux host gains initial access via a brute force attack, after which the attacker disables shell history and obtains a trojanized version of OpenSSH from a remote server. To do.
The malicious OpenSSH package is configured to install and launch a backdoor, a shell script that allows the attacker to distribute additional payloads and perform other post-exploitation activities.
This included the exfiltration of information about the device, the installation of open-source rootkits called Diamorphine and Reptile from GitHub, and measures taken to cover up its activity by clearing logs that could warn of the device’s presence. includes taking a
“To ensure persistent SSH access to the device, the backdoor adds two public keys to the authorized_keys configuration files of all users on the system,” said the Windows maker.
The implant also attempts to monopolize the infected system’s resources by eliminating competing cryptocurrency mining processes that are already running before launching the miner.
Additionally, it runs a modified version of ZiggyStarTux, an IRC-based distributed denial of service (DDoS) client that can execute bash commands issued by a command and control (C2) server. It is based on another botnet malware called Kaiten (aka Tsunami).
The attack relies on an anonymous Southeast Asian financial institution subdomain for C2 communications to hide malicious traffic, the tech giant noted.
The modus operandi detailed by Microsoft comes from a recent AhnLab Security Emergency Response Center (ASEC) detailing attacks targeting public-facing Linux servers by cryptocurrency mining malware and a Tsunami botnet variant called Ziggy. It’s worth pointing out the overlap with the report.
This operation was traced back to an actor named asterzeu who sold the toolkit on the malware-as-a-service marketplace. “The complexity and scope of this attack shows the efforts the attackers are making to evade detection,” Sdeol said.
According to Akamai and Palo Alto Networks Unit 42, multiple known security flaws in routers, digital video recorders, and other network software are being actively exploited by threat actors to deploy the Mirai botnet malware. This development took place during the
“The Mirai botnet, discovered in 2016, is still active today,” Uni 42 researchers said. “A key part of the popularity of this tool among threat actors is the security flaws in IoT devices.”
“These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them attractive targets for threat actors.”
