Security researchers have uncovered sophisticated attack campaigns exploiting custom and open source tools targeting Linux-based systems and Internet of Things (IoT) devices.
According to a new Microsoft blog post, attackers used a patched version of OpenSSH to take control of compromised devices and install cryptomining malware.
For more information about this type of malware, see Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension.
This attack campaign involves an established criminal infrastructure using subdomains belonging to financial institutions in Southeast Asia as command and control (C2) servers.
Attackers used backdoors to deploy various tools such as rootkits and IRC bots to steal device resources for cryptocurrency mining operations.
Additionally, the backdoor installed a modified version of OpenSSH that allowed the attacker to hijack SSH credentials, move laterally within the network, and hide malicious SSH connections.
As far as the attack chain goes, the attackers started by brute-forcing credentials on misconfigured internet-connected Linux devices.
Once compromised, it downloads and installs a malicious OpenSSH package, allowing persistent access and the ability to intercept SSH credentials. The modified OpenSSH version mimicked a legitimate server, making detection more difficult.
Additionally, backdoors deploy open-source rootkits such as Diamorphine and Reptile to hide their presence on compromised systems.
It also established communication with a remote command and control server via an IRC bot called ZiggyStarTux. This allowed attackers to issue commands and launch distributed denial of service (DDoS) attacks.
Microsoft recommends several mitigations in its advisory to protect devices and networks from this threat.
This includes ensuring secure configurations of internet-connected devices, maintaining the latest firmware and patches, using secure VPN services for remote access, and deploying comprehensive IoT security solutions.
Microsoft’s blog post comes weeks after the company announced new integrations of its OpenAI technology into its services.
