A campaign has recently emerged with the objective of mining cryptocurrency by targeting Linux systems and Internet of Things (IoT) devices accessible over the Internet.
Researchers at Microsoft have identified that the threat actors behind this campaign employ a backdoor to exploit device resources for mining operations. The backdoor includes rootkits, an IRC bot, and various tools.
One significant aspect of the attack is installing a modified version of OpenSSH on compromised devices. It allows the threat actors to hijack SSH credentials, move laterally within the network, and hide malicious SSH connections.
The initial access comes through brute-forcing misconfigured Linux hosts. On successful access, the attackers turn off shell history and retrieve a tampered version of OpenSSH from a remote server.
The tampered OpenSSH package helps install and execute the backdoor, a shell script enabling the attackers to distribute additional payloads and carry out post-exploitation activities. These activities involve exfiltrating device information, installing open-source rootkits such as Diamorphine and Reptile from GitHub, and covering their tracks by clearing logs.
Maintaining persistent SSH access, the backdoor adds two public keys to the authorized_keys configuration files of all users on the compromised system. Additionally, it terminates existing cryptocurrency mining processes before launching its miner to monopolize the infected system’s resources.
The backdoor also operates a modified version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client capable of executing bash commands from a command-and-control (C2) server. This revised version leverages the Kaiten botnet malware called Tsunami.
Microsoft has observed that the attacks use a subdomain of an undisclosed Southeast Asian financial institution for command-and-control communications to obfuscate the malicious traffic.
It is worth noting that Microsoft’s findings align with a recent report from AhnLab Security Emergency Response Center (ASEC) that highlighted similar attacks targeting exposed Linux servers with crypto mining malware.
The campaign, associated with an actor named Asterzeu, utilizes a variant of the Ziggy botnet known as Tsunami. The toolkit for this campaign is available for sale on the malware-as-a-service market. The complexity and scale of this attack indicate the lengths to which attackers go to avoid detection, as mentioned by Rotem Sde-Or, a researcher at Microsoft.
These developments are occurring alongside threat actors actively exploiting well-known security vulnerabilities in routers, digital video recorders, and other network software to distribute the Mirai botnet malware.
Akamai and Palo Alto Networks Unit 42 have reported ongoing exploitation of these vulnerabilities. The Mirai botnet, discovered in 2016, remains active due to the prevalent security flaws in IoT devices. The simplicity and significant impact of remote code execution vulnerabilities targeting IoT devices make them an attractive target for threat actors.