A crypto mining campaign has been going on for years, and the defence evasion strategies used to stay undiscovered are constantly developing. Because of the shell script that launched the attack, the campaign is called Autom.
Malware campaigns by Autom
According to analysts, the effort has been running for three years and has developed in order to remain undetected.
- It was originally found in 2019, and since then, 84 attacks utilising the same shell script have been discovered.
- Cybercriminals began bypassing security features in 2020, and in 2021, they began utilising an obfuscating script.
- Only in the third quarter of 2021 did attackers launch at least 125 strikes.
Malicious software activities
Early assaults involved running a malicious command while running a vanilla image named alpine:latest, which then downloaded a shell script called autom[.]sh.
In recent years, the command that was added to the official image to perform the attack has remained largely unchanged. The shell script, on the other hand, is now obtained from a different site.
The shell script initiates the attack by allowing the attackers to create a new user account, (akay), and upgrade their privileges to root user, allowing them to run arbitrary commands and mine cryptocurrency.
Malware’s Development
The campaign’s early strikes in 2019 lacked the specific obfuscation techniques that it later developed.
To bypass security tools, the malware can disable security systems and obtain an obfuscated mining shell script that has been Base64-encoded five times.
The attacker further added concealing capabilities by downloading the log rotate[.]bin script and using it to start cryptomining activities by establishing a new cron job that would start mining every 55 minutes.
Conclusion
The threat actors behind the Autom campaign have shown a high level of proficiency in launching attacks while remaining undetected. Before such attacks infect them, security teams must strengthen their defences.