It identifies mining processes by name and/or files, and then terminates the processes or blocks them outright. Here, we have something similar happening with the cryptomining tools being used in this attack. Years ago you’d occasionally see adware programs try to remove rivals from a PC, in order to take all of the ad revenue for its creator. Activity records are removed from various places on the system to mask any malicious presence, and additional tools are installed to clean up other logs which could reveal evidence of sign-ins. Open source rootkits are installed in systems which support them, used to further hide malicious files and processes taking place under the hood. The contents of /etc/passwd and /etc/shadow.If it determines that the system is the real thing, it begins a process of data exfiltration to a chosen email address. The data that is taken includes: If it determines the system is a honeypot, it exits. The complexity and scope of this attack are indicative of the efforts attackers make to evade detection.Ī backdoor on the system checks to see if the hijacked device is a honeypot-a fake system set up by researchers or someone else to make an attacker think that they’ve compromised a genuine system when in reality everything the attacker does is being logged. The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections. Utilizing an established criminal infrastructure that has incorporated the use of a Southeast Asian financial institution’s subdomain as a command and control (C2) server, the threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations.
When the rogue version of this tool is deployed, it looks to backdoor hijacked systems and swipe credentials to ensure it lingers on the system for as long as it possibly can. Once the attackers have broken into their target system, a patched version of OpenSHH, a remote login tool, is downloaded from a remote server. The attacks, which involve brute forcing a way into a system, are designed to profit from mining in illicit fashion for cryptocurrency. Poorly configured Linux and Internet of Things (IoT) devices are at risk of compromise from a cryptojacking campaign, according to researchers at Microsoft.
0 kommentar(er)
