Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illegally mine cryptocurrencies.
“The threat actor behind the attack uses a backdoor that deploys various tools and components such as rootkits and IRC bots to steal device resources for mining operations,” Microsoft threat intelligence researcher Rotem Sde-Or said.
“The backdoor also installs a patched version of OpenSSH on the affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and hide malicious SSH connections.”
To execute the scheme, a misconfigured Linux host is forced to gain early access, after which the attacker moves to disable shell history and retrieve a trojanized version of OpenSSH from the remote server.
Rogue OpenSSH packages are configured to install and launch backdoors, shell scripts that allow attackers to distribute additional payloads and perform other post-exploit activity.
This includes extracting information about the device, installing so-called open source rootkits Diamorphine And Reptile from GitHub, and took steps to obfuscate its activity by deleting logs that could warn of its existence.
“To ensure persistent SSH access to the device, the backdoor adds two public keys to the authorized_keys configuration file of all users on the system,” the Windows makers said.
The implant also seeks to monopolize the infected system’s resources by eliminating competing crypto mining processes that may already be running on it prior to launching its miners.
Additionally, it runs a modified version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client capable of executing bash commands issued from a command-and-control (C2) server. It is based on another botnet malware called Kaiten (aka Tsunami).
The attack, the tech giant said, leveraged an unnamed Southeast Asian financial institution subdomain for C2 communications in an attempt to disguise malicious traffic.
It’s worth pointing out that the modus operandi detailed by Microsoft overlaps with a recent report from the AhnLab Security Emergency Response Center (ASEC), which detailed attacks targeting Linux servers exposed to crypto mining malware and a variant of the Tsunami botnet dubbed Ziggy.
The operation has been traced back to an actor named asterzeu, who has offered the toolkit for sale on the malware-as-a-service market. The complexity and scope of this attack demonstrates the effort attackers go to avoid detection, said Sde-Or.
The development comes as several known security flaws in routers, digital video recorders, and other network software are being actively exploited by threat actors to spread the Mirai botnet malware, according to Akamai And Palo Alto Network Unit 42.
“The Mirai botnet, discovered in 2016, is still active today,” said researcher Uni 42. “A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.”
“Remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors.”