Romanian Hackers Actively Attacking Linux-based Machines With Weak SSH Credentials

Researchers uncovered a new active crypto-jacking attack from the APT threat group targeting Linux-based machines by taking advantage of the weak SSH credentials to deploy the crypto-malware to mine Monero cryptocurrency.

To mine cryptocurrency, attackers targeting third-party home computers or work computers are compromised and hijacked to utilize their resources known as a crypto-jacking attack.

Unlike other threat groups that can be identified based on their activities, methods, and tools, this case attackers employed an obfuscation technique that involved a Bash script complied with Shell Script to hides their identities, background and helps them go undetected.

Another Interesting fact is that the group using a previously unknown SSH bruteforcer written in Golang, also it is using a centralized API server. The brute force tool has its interface in a mix of Romanian and English that leads to a conclusion that the author of the malware is based on the Romanian threat group.

Attacking Linux Systems

During the investigation, researchers found an open directory where they found a .93joshua loader with a malicious domain mexalz.us where the malware hosted since Feb 2021 along with the other files, and some of the files are hidden that may lead to hiding their identity.

Attackers deploy and execute the malware loader once the attackers find and enter into the victims who have weak SSH credentials, also researchers found some of the others at their disposal; .purrple and .black.and all 3 loaders are obfuscated via shc.

In order to find the victims, attackers using the following 3 stages:-

  • reconnaissance: identifying SSH servers via port scanning and banner grabbing
  • credential access: identifying valid credentials via brute-force
  • initial access: connecting via SSH and executing the infection payload

Once the loader gets successfully executed, it starts gathering the device information, it establishes the HTTP POST request a communicates with the command and control server using Discord webhook to post data on the Discord channel programmatically.

Due to the sophisticated functionality of Discord webhook, its increasing use among threat actors for malware distribution, C2 Server & creating communities centered around buying and selling malware source code and services. Bitdefender researchers said.

Discord hooks are used to report on the following process:–

  • the start and finish of the tool’s execution
  • successful exploitations

According to the Bitdefender report, “In another step of its operation, the loader alters the shell configuration, overwriting the .bashrc and .bash_profile files. The auxiliary file /usr/.SQL-Unix/.SQL/.db, used to store part of the commands, is executed via the source built-in in .bashrc. This script, in turn, contains commands that overwrite .bashrc.”

Once the payload is successfully executed, the malware starts the mining process for Monero with embedded configurations of a legitimate miner named XMRig.

Researchers did not found any evidence that this campaign involved any sort of propagation with the help of compromised systems to infected the other systems.

Indicators of compromise

Samples:

sha256typenamepurpose
d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941eELF.93joshualoader
ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33ELF.zte_errorminer
ef335e12519f17c550bba98be2897d8e700deffdf044e1de5f8c72476c374526ELF.k4m3l0tminer
9de853e88ba363b124dfce61bc766f8f42c84340c7bd2f4195808434f4ed81e3ELF.blackloader
eb0f3d25e1023a408f2d1f5a05bf236a00e8602a84f01e9f9f88ff51f04c8c94ELF.purrpleloader
dcc52c4446adba5a61e172b973bca48a45a725a1b21a98dafdf18223ec8eb8b9ELF.report_systemminer
99531a7c39e3ea9529f5f43234ca5b23cb7bb82ee54f04eff631f5ca9153e6d4ELFgoscanner
74a425bcb5eb76851279b420c8da5f57a1f0a99a11770182c356ba3160344846ELFgoscanner
9f691e132f5a2c9468f58aeac9b7aa5df894d1ad54949f87364d1df2bf005414scriptgoscanner
f53241f60a59ba20d29fab8c973a5b4c05c24865ae033fffb7cdfa799f0ad25dELFrscanner
275ef26528f36f1af516b0847d90534693d4419db369027b981f77d79f07d357scriptdabrutescanner
8beccb10b004308cadad7fa86d6f2ff47c92c95fc557bf05188c283df6942c13ELFbrutescanner
f9ed735b2b8f89f9d8edfc6a8d11a4ee903e153777b33d214c245a02636d7745ELFbrutescanner
23cf4c34f151c622a5818ade68286999ae4db7364b5d9ed7b8ed035c58116179scriptskyIRC bot
8dfdbc66ac4a38766ca1cb45f9b50e0f7f91784ad9b6227471469ae5793f6584scriptfind.shscanner
f1d4e2d8f63c3b68d56c668aafbf1c82d045814d457c9c83b37115b61c535baaarchivejack.tar.gz
3078662f56861c98f96f8bc8647ffa70522dbc22cbd7ba91b9c80bc667d2a3a9archivejuanito.tar.gz
2a8298047add78360dc3e6d5ac4a38ddb7a67deebc769b1201895afe39b8c0e1archivekamelot.tar.gz
7bfb35caf3f8760868c2985c4ccf749b14deab63ac6effd653871094fed0d5e5archivesatan.db
f6e92eff8887ee28eb56602a3588a3d39ca24a35d9f88fe2551d87dc6ced8913archivescn.tar.gz
8bf108ab897a480c44d56088662e592c088939eeb86cccaac6145de35eb3a024scriptsefu
31a88ff5c0888bcbbbd02c1c18108c884ff02fd93a476e738d22b627e24601c0archiveskamelot.tar.gz
e89b40a6e781ad80d688d1aa4677151805872b50a08aaf8aa64291456e4d476darchivePhoenixMiner.tar
2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251ELFbannerscanner
8970d74d96558b280567acdf147bfe289c431d91a150797aa5e3a8e8d52fb27darchiveethminer.tar
9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2ELFmasscanscanner
1275e604a90acc2a0d698dde5e972ff30d4c506eae526c38c5c6aaa6a113f164scriptsetup
977dc6987a12c27878aef5615d2d417b2b518dc2d50d21300bfe1b700071d90escriptinstall
ccda60378a7f3232067e2d7cd0efe132e7a3f7c6a299e64ceba319c1f93a9aa2ELFbrutescanner

Paths:

  • /usr/bin/.locationesclipiciu
  • /var/tmp/.ladyg0g0/.pr1nc35
  • /usr/.SQL-Unix/.SQL/.db
  • /var/tmp/.SQL-Unix/.SQL/.db
  • /usr/bin/.pidsclip

Network indicators:

  • Mexalz[.]us
  • area17[.]mexalz[.]us
  • 45[.]32[.]112[.]68
  • 207[.]148[.]118[.]221
  • requests[.]arhive[.]online
  • cdn[.]arhive[.]online

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.