A new malware family is targeting Asian cloud service providers and using compromised resources to mine cryptocurrency. The malware, CoinStomp, makes use of Timestomping, Command and Control through reverse shells, removal of target system’s cryptographic policies, and references to a previous cryptojacking campaign, Xanthe.
Cryptojacking is the process of compromising machines and using their resources to mine for cryptocurrencies. This attack method has grown popular as an alternative to building sophisticated mining machines which create large overhead costs. By compromising existing machines, attackers can mine crypto without paying for resources. The formula is simple, the more resources an attacker has access to the more crypto they can mine. Cloud service providers are a lucrative target for cryptojacking attackers because CSPs provide solutions including Infrastructure as a Service (IaaS), which provides resources directly to customers. The infrastructure is already in place, all the attacker needs to do is gain access.
Cryptojacking software is designed to run unbeknownst to the victim. To remain undetected CoinStomp uses a technique called Timestomping. Timestomping involves the manipulation of file timestamps. It is frequently used to confuse and mislead digital forensic investigators. Timestomping allows attackers to change the access records and file creation records to help malicious files blend into the target environment. A query based on recently installed files and programs will yield little evidence if the time stamps of the malicious files have been manipulated. On Linux systems a simple “touch” command with the “-t” flag and a made-up timestamp can be used to change the timestamp.
Using reverse shells to contact the Command and Control (C2) servers on port 443, typically used for https traffic, means that this traffic will usually pass seamlessly through the firewall, as outbound https traffic is not normally restricted. The reverse shell uses /dev/tcp/[host]/[port] to create a tcp connection to the designated host on the specified port. Using this command, the attacker can allow for read/write privileges. The malware also uses curl to install additional payloads and provide status updates to the C2 servers.
To allow for successful installation of payloads, CoinStomp uses a command to remove cryptographic policy files. These policies are responsible for allowing or blocking protocols based on the cryptographic protocol version. Usually, insecure protocols will be blocked, but malware often makes use of these protocols for installations and remote connections. By disabling the cryptographic policies CoinStomp can install payloads and make the connections it needs.
CoinStomp uses the Cron scheduler to carry out tasks and immersed in the code is a URL that has been commented out, meaning there is no command to reach the URL. Researchers at Cado Security followed the URL to http://xanthe.anondns.net:8080/files/fczyo. Xanthe was previously a cryptojacking campaign that now has ties to the Abcbotnet and Distributed Denial of Service (DDoS) attacks. The Xanthe cryptojacking campaign made use of a script called fczyo. This may point to a connection to the Xanthe campaign, but it is also possible that it was an attempt to mislead investigators.
The recent discovery of the CoinStomp malware family points out that attackers are knowledgeable about cloud security vulnerabilities, Linux security techniques, and how to mislead digital forensics investigators in the incident response process. Cado Security provided Indicators of Compromise (IoCs) which are pictured below.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments