In a recent blog post released by Microsoft, the growing prominence of cryptojacking hackers targeting Linux-based systems and IoT devices was highlighted. Cryptojacking refers to the unauthorized use of someone’s device to mine cryptocurrencies, often without the user’s knowledge or consent. These hackers are exploiting open-source tools and utilizing a modified version of OpenSSH, a widely used remote administration protocol, to carry out their attacks.
According to the blog post, the cryptojacking attacks involve the use of a malicious version of OpenSSH, which is used as a backdoor to deploy various tools such as rootkits and an IRC bot. These tools are used to hijack device resources for cryptomining operations. Cryptocurrency mining, particularly the mining of Monero due to its ease on various devices, is favored by these hackers.
It is worth noting that cryptojacking malware is often combined with ransomware to maximize its impact. These attacks can occur through infected links or attachments, as well as through the downloading of cryptojacking and ransomware programs. Another method involves embedding a small piece of mining code in websites or ads, which runs automatically in visitors’ browsers. Cloud-based attacks also exist, which involve stealing credentials and installing scripts in cloud environments.
Microsoft’s report uncovered several cryptojacking series carried out by these hackers. One notable finding was that the hackers were leveraging a well-established criminal infrastructure, including using a subdomain belonging to a Southeast Asian financial institution as a command and control server. The hackers targeted Linux machines with misconfigured internet access and used brute-force techniques to steal login credentials. Once a device is infected, the hackers disable the shell history and install the compromised OpenSSH package from a remote server.
The compromised OpenSSH package includes an OpenSSH source code, backdoor binaries, a shell script, and an archive containing embedded files necessary for the backdoor’s operation. During the installation process, the shell script determines the target device’s architecture and executes the corresponding backdoor binary. The backdoor is created by compiling a shell script using an open-source tool called Shell Script Compiler.
Microsoft researchers identified three major developments in the cryptojacking hackers’ modus operandi. These include downloading, assembling, and installing two GitHub open-source rootkits named Diamorphine and Reptile. These rootkits serve to conceal the backdoor’s processes, files, and contents, as well as establish a connection to the command and control domain. The backdoor also adds two public keys to the “authorized_keys” configuration file, unique to each user, and removes system logs entries that contain the IP and username supplied as parameters to the script.
To gain control over device resources and eliminate competition, the backdoor implements iptables rules to block communication with specified hosts and IPs linked to rival crypto miners. It also redirects hosts to the local host address, effectively isolating them. Moreover, the backdoor identifies and terminates or blocks access to miner processes and files, further hindering the operations of competing adversaries. It also eliminates any existing SSH access configured by other adversaries.
By exploiting OpenSSH, the hackers are able to infiltrate systems, obtain elevated privileges, and access SSH credentials. The modified version of OpenSSH used by the hackers mimics the appearance and behavior of a genuine OpenSSH server, making it harder to detect. This version also potentially grants the hackers access to multiple devices. Additionally, the hackers utilize a modified version of the ZiggyStarTux IRC bot and employ diverse techniques to configure it uniquely on compromised devices. This ensures its uninterrupted operation and removes any traces of logging into the victim’s systems.
To establish connections with command and control servers, the ZiggyStarTux bot connects itself with an IRC server. The bot then connects to the command and control servers through the IRC server. These tactics allow the hackers to maintain a lasting presence on compromised devices.
It’s important to note that the information provided in this report is for reference purposes only, and users should exercise caution and take necessary measures to protect their devices from cryptojacking attacks.