A new campaign is targeting internet-facing Linux systems and IoT devices in order to mine cryptocurrency. The attackers use a backdoor that deploys a wide array of tools and components, such as rootkits and an IRC bot, to steal device resources for mining operations. New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices.
The attackers first brute-force misconfigured Linux hosts to gain initial access. They then disable shell history and fetch a trojanized version of OpenSSH from a remote server. This rogue OpenSSH package is configured to install and launch the backdoor,
which allows the attackers to distribute additional payloads and conduct other post-exploitation activities.
These activities include exfiltrating information about the device,
the other hand installing open-source rootkits, and clearing logs that could alert the victim to the presence of the malware. The backdoor also appends two public keys to the authorized_keys configuration files of all users on the system,
which ensures persistent SSH access to the device.
The implant also seeks to monopolize the infected system’s resources by eliminating competing crypto mining processes that may be already running on it. It
Also runs a modified version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client.
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam.
The attacks leverage an unnamed Southeast Asian financial institution’s subdomain for C2 communications in an attempt to disguise the malicious traffic.
So the operation has been traced back to an actor named asterzeu, who has offered the toolkit for sale on the malware-as-a-service market.
This attack is indicative of the efforts that attackers will make to evade detection. It is important to keep your Linux systems and IoT devices up to date with the latest security patches and to be aware of the latest threats. New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices.
Additional Information
- The Mirai botnet, which was discovered in 2016, is still active today. It is used to launch DDoS attacks and to mine cryptocurrency.
- IoT devices are often targeted by attackers because they often have security flaws that can be exploited.
- It is important to keep your IoT devices up to date with the latest security patches and to use strong passwords.