Linux – focus on a cryptomining attack dubbed color1337 – TEHTRIS

Executive summary

TEHTRIS Threat Hunters analyzed illicit cryptomining activity targeting Linux-based machines. The attack happened on one of our high interaction honeypots hosted in France in mid-January across a short timeframe (less than 5 minutes). Our honeypot was a Linux under Ubuntu 22.04. The cybercriminal group behind this attack employs a strategy to optimize the use of the compromised device’s resources. If the machine has enough capacity, the attacker will deploy a miner named diicot. If not, the attacker will use the device as a rebound to collect information on other potential targets. The threat actor uses a Discord server to retrieve data from the compromised machines, following a growing trend among adversaries of abusing popular messaging apps.

The threat actor has links with Romania, and we think that it might be linked to a group tracked in 2021 by other security researchers. We decided to dub this campaign Color1337, with 1337 being a form of signature from the threat actor.

Cryptomining is a threat on the rise and a five-fold increase on this type of attacks has been observed in March 2023 compared to the previous months. Without any surprise, financial gain prevails as the main goal for cyber threat actors.

Crypto-mining activity: optimizing the target’s full capacity

It is unclear how the attacker gained initial access and downloaded the malware on the machine. Our guess is that, after brute forcing SSH credentials, a shell script named uhQCCSpB (random name made up of 8 characters) was downloaded and executed on the infected machine. This is a bot which performs cryptojacking: it installs and launches a Monero miner and then tries to infect other machines. According to a paper from a researcher of the University of Zurich, published in April 2022, this bot, referred to as Linux.MulDrop.14 or UNIX_PIMINE.A, exists since 2017 and was created specifically to target Raspberry Pi devices. This fits some of the observations detailed in the analysis and might indicate that the threat actor updated this bot for this new campaign.

The uhQCCSpB script allows the attacker to send and execute commands on the infected device, which might be how the payload bash script was launched. The file named payload is a bash script, which, upon execution, performs the following actions:

First, it kills all other miners that could be on the machine, making sure that the space is clear.

Then, depending on the number of cores on the machine, it executes one of these two functions:

  • Either “FastAndSteady”, which downloads and executes the miner diicot (sha256 0314f688409e3caf1e6d0198bfff3a129e14cb0c623150ba3e29581fba6491d1) from arhivehaceru[.]com or IP address 45.139.105[.]222.
  • Or “SlowAndSteady”, which downloads the executable named Update, and downloads and executes History from the same C2 server arhivehaceru[.]com resolving to IP address 45.139.105[.]222. History is used to execute Update.

The next step is an attempt to change the password of the current account and hardcoded ones. We believe it aims at preventing other attackers to take control of the machine using the same brute-force technique. However, due to an error in the implementation, the operation never succeeds. A json file containing information regarding the new credentials, the public IP address, and the number of cores of the compromised machine is sent towards the C2 server (arhivehaceru[.]com:1337/pass), most likely to constitute a database of the infected devices under the attacker’s control.

The attacker has two different strategies to maximize the access on the compromised Linux machine. If the device has enough capacity (more than 4 cores), the diicot cryptominer is launched to take advantage of the CPU. If the machine has 4 or less cores, the SlowAndSteady option is played out.

Focus on the SlowAndSteady function

If the machine does not have the required CPU to mine cryptocurrency, it will act as a rebound to infect other hosts.

As mentioned above, the Update executable is run. Update (SHA256 e582428a5be24a1eb9eb80566a57bd0cb0431110d3c07b5ce9edd5544a3ef1b4) is a known trojan first seen in November 2022 and known, among other things, for exploiting an authentication flaw in Dasan GPON home routers (CVE-2018-10561, CVSSv3 9.8).

The Update file executes the following steps:

First, it downloads from the C2 server the file named Chrome (SHA256 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a) – which is a Linux Port scanner first seen in 2018 -, and the file named aliases (SHA256 cc0b01955db20101f93771f81a9fa6ab7c091cac8435529996020d4f3932a3e7), a Linux trojan known since the end of 2022.

Then, it sends to a discord webhook controlled by the attacker a json file containing the hereunder criteria:

""title"": """",""description"": ""Infected Secure Server Shell [ SSH ] on '<IP address of the infected device>'"", ""color"": 1337

The use of the Discord’s webhooks feature to store exfiltrated data had been underlined in a report published in July 2022 by security researchers of Intel741. Resorting to built-in services of popular messaging apps, such as Discord or Telegram, allows adversaries to reduce the costs of supporting a dedicated infrastructure to store data. Moreover, since these apps are widely popular, they are often overlooked by companies who do not monitor the connections to these legitimate services, giving more chances to the attacks to unfold without being stopped.

What comes next is decoding from base 64 a series of default credentials and store them in a file called protocol:

'YWRtaW4gMTIzNAphZG1pbiAxMjM0NTYKYWRtaW4gYWRtaW4KYWRtaW4gYWRtaW4xMjMKYWRtaW4gcGFzc3dvcmQKY2VudG9zIDEyMzQ1NgpjZW50b3MgY2VudG9zCmRlZmF1bHQgMQpndWVzdCBndWVzdApwb3N0Z3JlcyBwb3N0Z3Jlcwpwb3N0Z3JlcyAxMjM0NTYKcGkgcGkKaGFkb29wIGhhZG9vcApoYWRvb3AgMTIzNDU2CnNvbmFyIHNvbmFyCnNvbmFyIHNvbmFyMTIzCmxpZ2h0aG91c2UgbGlnaHRob3VzZQpkb2xwaGluc2NoZWR1bGVyIGRvbHBoaW5zY2hlZHVsZXIKcGkgcmFzcGJlcnJ5CmRlYmlhbnVzZXIgMXFhelhTV0AKcm9vdCAxCnJvb3QgMTIzCnJvb3QgMTIzNDU2CnJvb3QgMTIzNDU2Nzg5MApyb290IEFhMTIzNDU2CnJvb3QgYWRtaW4Kcm9vdCBwYXNzd29yZApyb290IHBAc3N3MHJkCnJvb3QgUEBzc3cwcmQKcm9vdCByb290CnRlc3QgdGVzdAp1Ym50IHVibnQKdXNlciB1c2VyCnJvb3QgQWRtaW5AMTIzCnRlc3QgMTIzNDU2CnRlc3QgdGVzdApnaXQgZ2l0CmdpdCAxMjM0NTYKZ3Vlc3QgZ3Vlc3QKdWJ1bnR1IHVidW50dQp1YnVudHUgMTIzNDU2Cmd1ZXN0IDEyMzQ1Ngpyb290IHRvb3IK'

Decoded from base 64:

admin 1234
admin 123456
admin admin
admin admin123
admin password
centos 123456
centos centos
default 1
guest guest
postgres postgres
postgres 123456
pi pi
hadoop hadoop
hadoop 123456
sonar sonar
sonar sonar123
lighthouse lighthouse
dolphinscheduler dolphinscheduler
pi raspberry
debianuser 1qazXSW@
root 1
root 123
root 123456
root 1234567890
root Aa123456
root admin
root password
root p@ssw0rd
root P@ssw0rd
root root
test test
ubnt ubnt
user user
root Admin@123
test 123456
test test
git git
git 123456
guest guest
ubuntu ubuntu
ubuntu 123456
guest 123456
root toor

After that, the Update file establishes persistence by adding a file named .5p4rk3l5 to crontab.

Next, the Chrome file– downloaded in the first step – is executed. We are unsure of how Chrome concretely works. However, we estimate that it might generate a list of IP addresses based on random values defined in the script and record them in an obfuscated file named bios.txt.

What happens next is unclear:  we observe that the compromised machine sends POST requests to the discord server owned by the attacker containing the following criteria:

“title”: “”, “color”: 1337, “description”: “pi:raspberry:<targeted IP address>”

We assume that the compromised machine is used as a rebound for exploration with the file aliases and sends requests to the IP addresses listed in the bios.txt file to determine whether the devices have default credentials. The attacker can then constitute a database of potential targets.

The only POST requests we saw contain Raspberry default credentials (identified as CVE-2021-38759 – CVSSv3 9.8). However, we guess that all the default credentials from the above-mentioned base 64 are tested.

Using an infected machine to collect this type of information allows the attacker to dilute the exploration phase among many other machines and IP addresses, making it harder to trace back to the original source of the attack.

About the threat actor behind this malicious activity

The payload bash script contains Romanian language, which provides indications on the region of origin of the actor who wrote it. It is worth noting that DIICOT (the name given to the miner which was first seen in the wild in October 2022), is quite ironically the acronym of Romanian agency investigation organized crime, cybercrime, financial crime, and terrorism. Moreover, the actor refers to himself as ElPatrono1337, with 1337 being a recurrent value in the attack: it is the port on which the actor retrieves data from the compromised machines, as well as the color value chosen as a parameter for the discord webhooks. 1337 refers to leetspeak, a system of modified spellings using ASCII values. By extend, leet is a programming language that can make network connections and is popular among hackers. For those reasons, we decided to dub this campaign Color1337.

A Romanian group behind a cryptojacking campaign tracked by BitDefender in 2021 used a crontab file named .5p4rk3l5. Given that the script “Update” refers to a file with the same name, and the link established with Romania, a hypothesis could be that the same group is behind this attack and has updated their tools.

According to Valhalla website, the 2020 Yara rule that matches the Payload bash script has been increasingly triggered in the month of March (times 5 in comparison with February), showing the urgency to protect against these types of attacks.

TEHTRIS protects you

TEHTRIS XDR Platform protects you from this threat:

  • TEHTRIS NTA detects SSH scans, which is the initial access of this attack scheme
  • TEHTRIS EDR detects the payload bash script and the Update file as a Scheduled Task
  • TEHTRIS EDR detects the aliases file as malicious
  • TEHTRIS DNS Firewall blocks connections to the C2 servers
  • TEHTIRS CTI analyzes all files executed on the device and alerts on suspicious behaviour

This campaign of attacks is yet another reminder that default credentials are massively abused by threat actors, as illustrated in our bi-monthly honeypots’ reports on the tehtris.com blog. Be safe and use robust passwords.

IoC

Infrastructure:

185.225.74[.]231

arhivehaceru[.]com

45.139.105[.]222

139.99.123[.]196

https[:]//discord[.]com/api/webhooks/1036225255049531422/qyOrT3SxHaOC9yS2NQiPxlSMYmRFFIpU-rMKzmcDv9pQyP4uaZEiZXDXioUtf0DJLUB

https[:]//discord[.]com/api/webhooks/965651135102865479/PFdU4u8yZrn0XhzIKShcaxL3_IaBjsstYmFEXlThF2_1XCnwXSAjKos3ptwKYpPyGqvI

https[:]//discord[.]com/api/webhooks/1036206037373571082/9bs01KrT-TrcbSAPI_iadV1Bhn56A4X4fxzCYEw3zMq95H1mFvlKWb6-KYzvEoVfTnS

Files used in the attack:

system-cleaner.pl

cleaner.pl

payload

bios.txt

diicot – SHA256 0314f688409e3caf1e6d0198bfff3a129e14cb0c623150ba3e29581fba6491d1

Update – SHA256 e582428a5be24a1eb9eb80566a57bd0cb0431110d3c07b5ce9edd5544a3ef1b4

Chrome – SHA256 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a

aliases – SHA256 cc0b01955db20101f93771f81a9fa6ab7c091cac8435529996020d4f3932a3e7

History – SHA256 e9bbe9aecfaea4c738d95d0329a5da9bd33c04a97779172c7df517e1a808489c

uhQCCSpB – SHA256 6d1fe6ab3cd04ca5d1ab790339ee2b6577553bc042af3b7587ece0c195267c9b

Source: https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337