The Team Nautilus security analysts at Aqua Security has recently caught an ongoing malicious cryptomining campaign that has upgraded to the next level while evolving its new TTPs like:-
- Defense mechanismsuch malicious malware and campaigns
- Evasion tactics
This cryptomining malware has been named as “Autom,” and it has been speculated that since the campaign has evolved so, it has managed to adapt several malicious tactics to hide the attack and evade all the checks of security solutions.
Autom campaign and its evolution
A total of 84 attacks against its honeypot servers have been recorded since it was first spotted in 2019 and among those attacks, four attacks occurred in 2021. While in the third quarter of 2021 alone, the attackers have launched more than 125 attacks in the wild after getting evolved.
While this campaign has been named “Autom,’ only due to the shell script, and during this time period, the threat actors have changed and evolved all their tactics.
When this malicious cryptomining campaign has been spotted for the first time in 2019, at that time during the run of a vanilla image alpine:latest the execution of attack command was run due to which an autom.sh shell script was downloaded.
Here’s what the security analysts stated:-
“Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use.”
Later after downloading the shell script, the malware begins the attack sequence. While in this attack sequence the threat actors get the ability to create a new user account under the name “akay” with root user rights.
At this stage, the attacker abuses the root privileges to execute arbitrary commands on the compromised system to mine cryptocurrency. Even to get around security tools, the malware retrieves five times encoded Base64 obfuscated mining shell script.
The founder and CTO of Bugcrowd, Casey Ellis stated:-
“Evading detection for as long as possible to maximize their time on target and potential for a return has become a core part of an attacker’s job.”
To mitigate this the experts have recommended some recommendations, and here they are:-
- Perform dynamic image analysis
- Monitor container activity
- Check your environment for misconfigured APIs
- Limit unsecured inbound or outbound communication
These are the four key mitigating points that users should follow to stay safe and mitigate such malicious malware and campaigns.