All Threat Intelligence posts

Malicious crypto miners compromise academic data centers

May 22, 2020
4
min read

The Attack

  • In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.
  • EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.
  • The targeted hosts are infected with malware and are altered to serve as:
    • XMR mining hosts (by running a hidden XMR binary)
    • XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
    • SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
    • Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).

The Tactics

  • TOR or the compromised hosts are leveraged to connect to SOCKS proxy servers.
  • Among various other techniques, the attackers also use a malicious Linux Kernel Module to cover up their activities.
  • SSH credentials are stolen to gain access to the hosts. Although it is not known how the attackers steal the credentials, some victims have been able to find compromised SSH binaries.
  • To avoid detection, the XMR activity has been configured in a way that it operated only at night.

File Details

  • Run kill -63 $(random pid) followed by lsmod, then search for modules with names like: diamorphine, scsi, iscsi, readaps.
  • Check the content of /etc/cron.hourly/0anacron.
  • Other files:
  • /home/*/.mozilla/xdm
  • /tmp/.dbs*
  • /tmp/.lock
  • /tmp/aes.tgz
  • /tmp/db.tgz
  • /tmp/dbsyn*
  • /tmp/reserved
  • /tmp/systemdb
  • /tmp/updatedb
  • /tmp/check_power
  • /var/tmp/.lock/clogs
  • /var/tmp/.lock/cpa.h
  • /var/tmp/.lock/ologs
  • /wlcg/arc-ce1/cache/.cache
  • /apps/.ior/read/.terma
  • /apps/.ior/read/.termb
  • /etc/fonts/.fonts (suid binary for privileged escalation (contains `setgid(0);setuid(0);execl(‘/bin/bash/’, {‘bash’, NULL}, NULL)`)
  • /etc/fonts/.low (Log cleaner, capable of removing logs and entries matching specific users (during some time period) in most log files)
  • /tmp/hdshare
  • /tmp/readps
  • /usr/bin/on_ac_power
  • /usr/lib/libocs.so
  • /usr/lib64/.lib/l64
  • /usr/share/aldi.so
  • /usr/share/sos/
  • /usr/share/sos/rh.pub
  • /usr/share/sos/rh.pub
  • /var/tmp/.lock
  • /etc/terminfo/.terma
  • /etc/terminfo/.termb
  • $HOME/.mozilla/plugins/.fonts
  • $HOME/.mozilla/plugins/.low
  • $HOME/.mozilla/plugins/.aa
  • $HOME/.mozilla/plugins/test
  • /usr/lib64/.lib/l64
  • /var/games/.terma

Indicators of Compromise

Network Indicators

IP

Comment

Role in Attack
91.196.70.109 XMR mining server Coordinate the XMR activity
149.156.26.227 Victim server andromeda.up.krakow.pl Malicious IP used for SSH logins + running SOCKSproxy
149.156.26.56 Victim server vega.up.krakow.pl Malicious IP used for SSH logins + running SOCKS proxy
142.150.255.49 Victim desktop UTORONTO Source for attack on .ca hosts
159.226.234.29 Victim server at CAS, China Malicious IP used for SSH logins + running SOCKS proxy
149.156.26.227 Andromeda.up.krakow.pl (host now cleaned) Malicious IP used for SSH login
202.120.32.231 Shanghai Jiaotong University IP used for SSH logins
202.120.58.243 Shanghai Jiaotong University IP used for SSH logins
202.120.58.244 Shanghai Jiaotong University IP used for SSH logins

IP

Comment

Role in Attack
2001:da8:8000:6300:199:433c:16c7:c668 Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300:1c22:6545:295d:f55c Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300:1cc4:148e:4368:1d2c Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300:6c46:cb5b:f478:185e Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300:7925:5377:34a8:e4b3 Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300:8c84:868e:9c5d:3322 Shanghai Jiaotong University IP used for SSH logins
2001:da8:8000:6300::/64 Shanghai Jiaotong University IP used for SSH logins
159.226.161.107 CSTNET, China Malicious IP used for SSH login
159.226.234.29 CSTNET, China Malicious IP used for SSH login

List of TOR hosts (SOCKS Proxy users)
51.77.135.89 (also used for malicious SSH logins)
51.15.177.65
51.75.52.118
51.75.144.43
51.79.53.139
51.79.86.181
212.83.166.62

 

List of suspected hosts
159.226.88.110 (CSNET, China. TCP/44300 access from krakow.pl): Being investigated by CSTCERT
159.226.62.107 (CSNET, China. HTTPS access from krakow.pl): Compromised (XMR mining) and reinstaled by the admin ~2020-05-08
159.226.170.127 (CSNET, China. TCP/21 access from krakow.pl): Being investigated by CSTCERT
132.230.222.12 (Uni-Freiburg. SSH access from krakow.pl): Investigated (malicious SSH binaries found) (not clear if they are involved in this or just 20200512)
192.154.2.203 (UCLA, USA. SSH access from krakow.pl): Notified.
129.49.37.67 (SUNYSB, USA. Access from a SOCKS proxy): Notified.
Tags:
No items found.