Bitdefender security researchers have discovered a threat group likely based in Romania that's been active since at least 2020. They've been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
Their activity involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report the information back. In addition to traditional tools such as masscan
and zmap
, the threat actors' toolkit includes a previously unreported SSH bruteforcer written in Golang. This tool appears to be distributed on an as-a-service model, as it uses a centralized API server. Each threat actor supplies their API key in their scripts. Like most other tools in this kit, the brute force tool has its interface in a mix of Romanian and English. This leads researchers to believe that its author is part of the same Romanian group.
"Dependent on individuals running the malware (cryptojacking or otherwise) distribution campaign, tracking down the people behind the activities will vary. Some of these bad actors use bulletproof hosting, while others use hosting in locations where law enforcement has trouble engaging. There are also the bad actors that run operations directly from their primary location, and for these select few, it’s quite often trivial to track and arrest these individuals," says Karl Steinkamp, Director, PCI Product and Quality Assurance at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services.
Bitdefender security researchers discovered the threat actors were using Discord, a VoIP, instant messaging and digital distribution platform, as it involuntarily provides support for malware distribution (use of its CDN), command-and-control (webhooks) or creating communities centered around buying and selling malware source code and services (e.g. DDoS). "
While the current campaign concerns cryptojacking, Bitdefender researchers have connected this group to several DDoS botnets: a Demonbot variant called chernobyl
and a Perl IRC bot. Steinkamp says, "In terms of bad actors using a different command and control (C2) mechanism for information reporting, it is a new occurrence but not unexpected. Cryptojacking malware has and continues to use IRC and HTTP for communications, and now we are seeing Discord. Each of these, by default, transmit key information from the compromised host in cleartext, allowing the victim to log and readily see the communications. Both, however, also may be configured to use SSL, making tracking more difficult."
According to Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions, "most cryptojacking campaigns are all about stealing compute resources and energy so an attacker will want to limit the impact so they can stay hidden for as long as possible. The impact to an organization is that it could affect business operations performance and also result in a hefty energy bill that, over time, could run into thousands of dollars. Another risk is that the cryptojacking could leave backdoors, allowing other cybercriminals to gain access and cause further damage, such as ransomware. The techniques being used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign. The end goal is mining cryptocurrency to make a profit at the expense of others."
Christoph Hebeisen, Director, Security Intelligence Research at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, explains that the number of original tools in this campaign and their complexity indicate that an individual or group with significant skills created this tool kit. "The actors behind cryptojacking campaigns aim to use third-party computing resources to mine cryptocurrency for their financial gain. Cryptomining is very computationally intensive and as such, having cloud instances taken over by cryptojacking can drive up cloud costs for the victim. The malware may also allow for other functionality, which can open the door for malicious activity such as stealing information, lateral movement or bot nets."