A new version of a Linux crypto-mining malware previously used to target Docker containers in 2020 is now focusing on new cloud service providers like Huawei Cloud.
Analysis of the new campaign comes from researchers at TrendMicro, who explain how the malware has evolved with new features while retaining its previous features.
Specifically, the most recent examples commented on the firewall rule creation feature (but it’s still there) and continue to remove a network scanner to map other hosts with ports relevant to the API.
However, the new version of the malware only targets cloud environments and now searches for and removes any other cryptojacking scripts that may have previously infected the system.
While infecting a Linux system, the malicious coinminer will perform the following steps, which include removing users created by competing crypto-mining malware distributors.
After removing the users created by other threat actors, the actors add their own users, a common step for many cryptojackers targeting the cloud. However, unlike many other cryptominers, the malware adds their user accounts to the list of sudoers, giving them root access to the device.
To ensure that persistence is maintained on the device, attackers use their own ssh-RSA key to make system changes and change file permissions to a locked state.
This means that even if another actor gains access to the device in the future, they will not be able to take complete control of the vulnerable machine.
Actors install the Tor proxy service to protect communications from detection and investigation of network analysis, passing all connections through it for anonymization.
The binaries that are being removed (“linux64_shell”, “ff.sh”, “fczyo”, “xlinux”) exhibit some level of obfuscation, and TrendMicro has seen signs of deploying the UPX packer for packaging.
Actors have undergone further tampering to adjust binaries to be stealthy against automated scan and detection tool sets.
After gaining a foothold on a device, the hacker’s scripts will exploit remote systems and infect them with malicious scripts and cryptomise it.
Known vulnerabilities scanned in this attack include:
- Weak SSH passwords
- Vulnerability in Oracle WebLogic Server Product of Oracle Fusion Middleware (CVE-2020-14882)
- Redis unauthorized access or weak passwords
- Unauthorized PostgreSQL access or weak password
- SQLServer weak password
- Unauthorized access to MongoDB or weak password
- Weak File Transfer Protocol (FTP) password
CSP under bombardment
Huawei Cloud is a relatively new service, but the Chinese tech giant says it already serves more than three million customers. TrendMicro has informed Huawei of the campaign, but has yet to receive an acknowledgment.
Whether you deploy your instances, be aware that performing vulnerability assessments and malware scans may not be enough to defend against this attack. You need to assess your CSP’s security model and adjust your approach to complement it with additional protections.
These cloud-targeting crypto miners have been on the rise since the start of the year, and as crypto values soar, players will be urged to make them more powerful and harder to detect.
- Malware attacks Windows machines for the first time through the Windows Subsystem for Linux
- New malware uses Windows for Linux subsystem for stealth attacks
- Autodesk reveals it was targeted by Russian hackers SolarWinds
- Russian organizations heavily targeted by smaller ransomware gangs
- Huawei nova 8 and Huawei nova Y60 on sale now