Apart from cryptomining, the campaign also involves hijacking SSH credentials, hiding malicious SSH connections, and more.
Microsoft researchers have discovered a new cryptojacking campaign that leverages custom and open-source tools to target IoT (Internet of Things) devices and Linux-based systems for cryptomining (aka cryptocurrency mining).
Attackers use a backdoor that can deploy a wide range of “tools and components,” such as rootkits and IRC bots, to steal device resources. This backdoor installs a patched version of OpenSSH to hijack impacted device systems and install a cryptominer.
Once this is done, the attackers can perform a range of activities, such as moving laterally in the network, hijacking SSH credentials, and hiding malicious SSH connections, apart from cryptomining.
The attackers need to hijack SSH credentials, for which they look for misconfigured Linux hosts. These hosts are brute-forced to gain initial access. When the target device is compromised, the first step is to disable the shell history.
The next step is to extract a trojanized OpenSSH package, “openssh-8.0p1.tgz,” from a remote server. It contains “benign OpenSSH source code and other malicious files,” such as backdoor binaries for arm4I, arm5I, x86, i568, i686, a shell script inst.sh, and an archive containing the shell script vars.sh, which has all the files needed for the backdoor to operate. After payload installation, the inst.sh script runs a backdoor binary matching the device’s architecture.
The backdoor is a shell script compiled using the Shell Script Compiler. It allows threat actors to distribute payloads and conduct post-exploitation attacks, such as stealing and sending device information, as well as clearing Apache, nginx, httpd, and system logs to hide their malicious activities and remain undetected.
To retain SSH access, the backdoor modifies two public keys in the system’s authorized key configuration files for all users. Additionally, this backdoor can install the logtamper open-source utility for clearing the wtmp and utmp logs that record user sign-in sessions and system event data.
In this campaign, as Microsoft’s Threat Intel team stated in its blog post, attackers use cryptojacking to install a cryptominer. In cryptojacking, computer resources are illegally drained to generate revenue. Almost all devices, tools, services, and IT infrastructure, including IoTs, are vulnerable to cryptojacking. Before launching the miner, all competing cryptomining processes are eliminated.
Additionally, the backdoor runs a modified version of a Kaiten malware-based DDoS client called ZiggyStarTux that executes bash commands received from the attacker’s C2 server. The C2 communications are established via an unidentified Southeast Asian financial institute’s subdomain to hide the malicious traffic.
The backdoor determines if the device is a honeypot by testing access to the virtual filesystem /proc. If it cannot access it, the backdoor exits. If it can access /proc, it extracts device data, such as OS version and network configuration, etc., and emails it to a hardcoded address (dotsysadminprotonmailcom) or the attacker’s address. The open-source rootkits it can compile/download/install include Reptile and Diamorphine, both available on GitHub.
Microsoft urges users to improve the security of internet-exposed devices by ensuring secure configurations, using strong passwords, and regularly updating firmware. A VPN should be preferred for remote access, and users should always use the latest version of OpenSSH.