Researchers uncovered a new active crypto-jacking attack from the APT threat group targeting Linux-based machines by taking advantage of the weak SSH credentials to deploy the crypto-malware to mine Monero cryptocurrency.
To mine cryptocurrency, attackers targeting third-party home computers or work computers are compromised and hijacked to utilize their resources known as a crypto-jacking attack.
Unlike other threat groups that can be identified based on their activities, methods, and tools, this case attackers employed an obfuscation technique that involved a Bash script complied with Shell Script to hides their identities, background and helps them go undetected.
Another Interesting fact is that the group using a previously unknown SSH bruteforcer written in Golang, also it is using a centralized API server. The brute force tool has its interface in a mix of Romanian and English that leads to a conclusion that the author of the malware is based on the Romanian threat group.
Attacking Linux Systems
During the investigation, researchers found an open directory where they found a .93joshua loader with a malicious domain mexalz.us where the malware hosted since Feb 2021 along with the other files, and some of the files are hidden that may lead to hiding their identity.

Attackers deploy and execute the malware loader once the attackers find and enter into the victims who have weak SSH credentials, also researchers found some of the others at their disposal; .purrple
and .black
.and all 3 loaders are obfuscated via shc
.
In order to find the victims, attackers using the following 3 stages:-
- reconnaissance: identifying SSH servers via port scanning and banner grabbing
- credential access: identifying valid credentials via brute-force
- initial access: connecting via SSH and executing the infection payload
Once the loader gets successfully executed, it starts gathering the device information, it establishes the HTTP POST request a communicates with the command and control server using Discord webhook to post data on the Discord channel programmatically.
Due to the sophisticated functionality of Discord webhook, its increasing use among threat actors for malware distribution, C2 Server & creating communities centered around buying and selling malware source code and services. Bitdefender researchers said.
Discord hooks are used to report on the following process:–
- the start and finish of the tool’s execution
- successful exploitations
According to the Bitdefender report, “In another step of its operation, the loader alters the shell configuration, overwriting the .bashrc
and .bash_profile
files. The auxiliary file /usr/.SQL-Unix/.SQL/.db
, used to store part of the commands, is executed via the source built-in in .bashrc
. This script, in turn, contains commands that overwrite .bashrc
.”
Once the payload is successfully executed, the malware starts the mining process for Monero with embedded configurations of a legitimate miner named XMRig.
Researchers did not found any evidence that this campaign involved any sort of propagation with the help of compromised systems to infected the other systems.
Indicators of compromise
Samples:
sha256 | type | name | purpose |
d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941e | ELF | .93joshua | loader |
ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33 | ELF | .zte_error | miner |
ef335e12519f17c550bba98be2897d8e700deffdf044e1de5f8c72476c374526 | ELF | .k4m3l0t | miner |
9de853e88ba363b124dfce61bc766f8f42c84340c7bd2f4195808434f4ed81e3 | ELF | .black | loader |
eb0f3d25e1023a408f2d1f5a05bf236a00e8602a84f01e9f9f88ff51f04c8c94 | ELF | .purrple | loader |
dcc52c4446adba5a61e172b973bca48a45a725a1b21a98dafdf18223ec8eb8b9 | ELF | .report_system | miner |
99531a7c39e3ea9529f5f43234ca5b23cb7bb82ee54f04eff631f5ca9153e6d4 | ELF | go | scanner |
74a425bcb5eb76851279b420c8da5f57a1f0a99a11770182c356ba3160344846 | ELF | go | scanner |
9f691e132f5a2c9468f58aeac9b7aa5df894d1ad54949f87364d1df2bf005414 | script | go | scanner |
f53241f60a59ba20d29fab8c973a5b4c05c24865ae033fffb7cdfa799f0ad25d | ELF | r | scanner |
275ef26528f36f1af516b0847d90534693d4419db369027b981f77d79f07d357 | script | dabrute | scanner |
8beccb10b004308cadad7fa86d6f2ff47c92c95fc557bf05188c283df6942c13 | ELF | brute | scanner |
f9ed735b2b8f89f9d8edfc6a8d11a4ee903e153777b33d214c245a02636d7745 | ELF | brute | scanner |
23cf4c34f151c622a5818ade68286999ae4db7364b5d9ed7b8ed035c58116179 | script | sky | IRC bot |
8dfdbc66ac4a38766ca1cb45f9b50e0f7f91784ad9b6227471469ae5793f6584 | script | find.sh | scanner |
f1d4e2d8f63c3b68d56c668aafbf1c82d045814d457c9c83b37115b61c535baa | archive | jack.tar.gz | |
3078662f56861c98f96f8bc8647ffa70522dbc22cbd7ba91b9c80bc667d2a3a9 | archive | juanito.tar.gz | |
2a8298047add78360dc3e6d5ac4a38ddb7a67deebc769b1201895afe39b8c0e1 | archive | kamelot.tar.gz | |
7bfb35caf3f8760868c2985c4ccf749b14deab63ac6effd653871094fed0d5e5 | archive | satan.db | |
f6e92eff8887ee28eb56602a3588a3d39ca24a35d9f88fe2551d87dc6ced8913 | archive | scn.tar.gz | |
8bf108ab897a480c44d56088662e592c088939eeb86cccaac6145de35eb3a024 | script | sefu | |
31a88ff5c0888bcbbbd02c1c18108c884ff02fd93a476e738d22b627e24601c0 | archive | skamelot.tar.gz | |
e89b40a6e781ad80d688d1aa4677151805872b50a08aaf8aa64291456e4d476d | archive | PhoenixMiner.tar | |
2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251 | ELF | banner | scanner |
8970d74d96558b280567acdf147bfe289c431d91a150797aa5e3a8e8d52fb27d | archive | ethminer.tar | |
9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2 | ELF | masscan | scanner |
1275e604a90acc2a0d698dde5e972ff30d4c506eae526c38c5c6aaa6a113f164 | script | setup | |
977dc6987a12c27878aef5615d2d417b2b518dc2d50d21300bfe1b700071d90e | script | install | |
ccda60378a7f3232067e2d7cd0efe132e7a3f7c6a299e64ceba319c1f93a9aa2 | ELF | brute | scanner |
Paths:
- /usr/bin/.locationesclipiciu
- /var/tmp/.ladyg0g0/.pr1nc35
- /usr/.SQL-Unix/.SQL/.db
- /var/tmp/.SQL-Unix/.SQL/.db
- /usr/bin/.pidsclip
Network indicators:
- Mexalz[.]us
- area17[.]mexalz[.]us
- 45[.]32[.]112[.]68
- 207[.]148[.]118[.]221
- requests[.]arhive[.]online
- cdn[.]arhive[.]online
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.