Linux systems and IoT devices are the targets of a new cryptocurrency mining campaign.

In a recent effort intended to illegally mine cryptocurrencies, Linux computers that are connected to the internet and Internet of Things (IoT) devices are the targets.

According to Microsoft threat intelligence expert Rotem Sde-Or, « the threat actors behind the attack use a backdoor that deploys a wide variety of tools and components, such as rootkits and an IRC bot, to steal device resources for mining operations. »

Additionally, a patched version of OpenSSH is installed by the backdoor on impacted devices, giving threat actors the ability to steal SSH passwords, travel about the network, and hide harmful SSH connections.

In order to execute the plan, misconfigured Linux machines are first brute-forced to acquire access. The threat actors then deactivate shell history and download a trojanized version of OpenSSH from a remote server.

The malicious OpenSSH package is set up to set up and run the backdoor, a shell script that gives the attackers the ability to disseminate further payloads and carry out other post-exploitation tasks.

This entails taking steps to steal data from the device, installing open-source rootkits called Diamorphine and Reptile from GitHub, and concealing its activities by deleting logs that may reveal its presence.

According to the creator of Windows, « the backdoor appends two public keys to the authorized_keys configuration files of all users on the system to ensure persistent SSH access to the device. »

Before initiating its miner, the implant attempts to kill any rival crypto mining processes that may be operating on the infected machine in order to monopolize its resources.

A customized version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client that can carry out bash instructions sent by the command-and-control (C2) server, is also installed on it. It is based on Kaiten (also known as Tsunami), another botnet virus.

The tech giant highlighted that the assaults seek to mask the malicious traffic by using the C2 communications subdomain of an undisclosed Southeast Asian financial institution.

It’s important to note that Microsoft’s description of the modus operandi is consistent with a recent report from the AhnLab Security Emergency Response Centre (ASEC), which described assaults on Linux systems that were left open using crypto mining malware and the Ziggy variation of the Tsunami botnet.

The toolkit’s sale on the malware-as-a-service market was made possible by an individual going by the name of asterzeu, who was linked to the operation. According to Sde-Or, the sophistication and size of this assault show the lengths attackers will go to avoid being discovered.

According to Akamai and Palo Alto Networks Unit 42, the Mirai botnet virus is actively being distributed by threat actors using a number of known security holes in routers, digital video recorders, and other network equipment.

« The Mirai botnet, discovered back in 2016, is still active today, » Uni 42 researchers said. « A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices. »

« These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. »

Recommended For You

About the Author: Paul

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *