- DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS INSTALL
- DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS FULL
- DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS PASSWORD
One of the wallets averages 95 workers while the second wallet averages four workers, meaning the campaign is still operational and has about 100 victims to date.įigure 4: Screenshot of the second mining dashboard Insights About the Victimsįigure 5: Screenshot of the active workers, their names and hash ratesįigure 6: Screenshot from Monero benchmarks The dashboard shows that this campaign has been active for almost a year with both wallets receiving at least one payment per day.
DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS FULL
In this recent attack, we found a live dashboard-shown in Figure 3- that is constantly updated with new workers and paints the full picture of this campaign.įigure 3: Screenshot of the first mining dashboard In some cases, the wallets are not active or have only a few workers. Management of the wallets is taken care of by another server that acts like a proxy so that the malware connects without providing the wallet. It’s rare to find an active wallet with victim information for a few reasons. The address of the pools belongs to supportxmr domain and the wallets are still active at the time of this publication. In addition, we found the address of the pools and the IDs of two wallets used in this campaign. This means that the details of the transaction amounts and the sender/recipient identities are disguised. From the configuration we can tell that the target cryptocurrency is Monero, known to be more private than other coins like Bitcoin. The configuration file reveals interesting insights about the miner and the attack campaign. Placing the files at /usr may imply that they are taking advantage of the high privileges they have in order to use this path as some sort of hiding technique that is harder to detect. The attacker has root privileges because the container they escaped from has them and hence the attacker has access to /usr. The path /tmp is more often seen as an installation path in Linux malware since it does not require root privileges. The path /usr/share is not commonly seen in Linux malware and is writable only with root privileges. Before running the coinminer, it verifies the path /usr/share/dbus-1/bin contains two files: systemd-host (aka the miner) and the other named IBus, the miner’s configuration file. The orchestrator is responsible for preparing and initializing configurations for the execution of the coinminer malware. We analyzed this file and came to the conclusion that it’s being used to execute XMRig Miner and to ensure it keeps running.
DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS INSTALL
Next, they install two binary files on the host: an XMRig Miner at location /usr/share/dbus-1/bin/ and an orchestrator file at /usr/share/color/. These modifications remove dependency on the misconfiguration, giving the attacker a stable connection to the victim.
DRUPAL WEBSITES ARE VICTIMS TO CRYPTOJACKING CAMPAIGNS PASSWORD
With access to the filesystem, the attacker installs malware on the Docker host.įirst, the attacker establishes a stable SSH connection by adding their own SSH key to the host and editing the configuration of the SSH service to allow password authentication. The attacker exploits this misconfiguration to gain full control over the Docker daemon and creates a new container with access to the host’s filesystem. A snapshot of the active workers is shown in Figure 1.įigure 1: Snapshot of workers mining cryptocurrency for the attacker Attack FlowĪ new attack flow takes advantage of a known Docker misconfiguration, putting the host at risk for being compromised. Workers are victim machines whose resources are being used to mine cryptocurrency for the attacker. We are certain that each day at least one payment is passed into two wallets and there are currently 95 workers.
This campaign has been active for nearly a year. The attack uses SSH to maintain superiority on the victim’s machine, leaving a backdoor and installing its own SSH keys on the host. The file serves as a Monero cryptominer installer and sets up configuration for the miner. The attacker then installs a Golang binary, which is undetected in VirusTotal at the time of this writing. This post details an ongoing cryptojacking campaign targeting Linux machines, using exposed Docker API ports as an initial access vector to a victim’s machine. It’s rare to see the dashboard of the wallets being used in an active cryptojacking campaign with dozens of victims, as well as the attacker’s profit margin. While cryptominers are well-documented, it’s not often that you get an inside look. A common type of Linux threat is cryptojacking, which is the unauthorized use of an IT system for the purpose of mining cryptocurrency. Linux threats are becoming more frequent.
0 kommentar(er)
