Category: Adversary Intelligence
Industry: Multiple
Motivation: Monetary
Country: Global
Source*:
A: Reliable
1: Confirmed by independent Sources
Executive Summary
- CloudSEK’s Threat Intelligence Team uncovered a campaign, actively running from the past 1.8 years, that attacks and brute forces the SSH.
- The newest sample for this campaign was created on 29 March 2023, with the IP hXXp://141[.]98[.]6[.]76[:]6972/HOZE.
- We also uncovered multiple connections of this malicious script with multiple coin miners and an email address for further attribution.
Analysis and Attribution
The IP: 141[.]98[.]6[.]76
The IP was already marked malicious since it attempted to conduct SSH attacks using bruteforce method. While investigating this IP, it was found to be communicating with ‘Hoze’ which is a malicious attacking shell script. Hoze requests the following URL: http://141.98.6.76:6972/xrx.tar.
The TAR file is a downloadable archive that contains one or more Linux executables. They are popularly known as follow-up mining scripts to uninstall security software and enable executable permissions.
Analysis of the File Contents
The config.json, which is essentially a miner configuration file, exposes sensitive information containing data fields such as URL, coin, user, password, etc, with different websites that are marked as malicious for coin mining tags.
The username (4BDcc1fBZ26HAzPpYHKczqe95AKoURDM6EmnwbPfWBqJHgLEXaZSpQYM8pym2Jt8JJRNT5vjKHAU1B1mmCCJT9vJHaG2QRL) is a Monero address which reveals the payment history dating back to 676 days, closely around 1.8 years.
There were multiple mining pools discovered associated with the same wallet:
45.10.20.100:2008
185.252.178.82:2008
pool.whitesnake.church:2008
pool.supportxmr.com:443
141.98.6.76:2008
The Public SSH Key
There was a public SSH key in the archive hosted on the above URL. This key was also observed in AhnLabs report for CoinMiner which targets misconfigured Linux SSH Servers, tracing this campaign back to 2022.
Following the information obtained from AhnLabs due to the same SSH key being used in the latest campaign, we observed an email address present in the threat actor’s XMRig mining information.
Mining Pool: xmr.doi-2020[.]net:14444
Wallet: 85myxAJXqM1i9RLd1b7xq4JddqUTt1fD9ikYNNfwgtZPh42Cm5PSRMQW9R7Sue28TS86bWRkiw3MV8K4ZRGaMw6ZVLLLbMQ.worker01/[email protected]
Based on the information obtained from a data breach where the above email was compromised, it belongs to Marian Andrei. However, the authenticity of the data is yet to be confirmed.
File xrx/xrx
Certain files present in the compressed archive were found to be encrypted to evade detection. Based on our investigation, a typical stratum mining protocol was observed, which essentially defines how pooled minings should communicate, making data transfers more efficient.
References
Mitigation
- Implementing a strong SSH password policy and avoiding misconfiguration or defaulted settings.
- Keeping a close eye on the anomalies indicating attempts for brute forcing through security logs, system logs, error logs, etc.
- Installing strong anti-virus software to detect any downloads, or executables present in the system.
Indicators of Compromise (IoCs)
