Malicious crypto miners compromise academic data centers

Academic data centers across Europe, North America, and China suffered a string of attacks that may have been carried out to mine Monero.

Share this Intel:

The Attack

In a possibly concerted string of attacks, malicious crypto miners target academic data centers across China, Europe, and North America, disrupting COVID-19 research.

EGI Computer Security Incident Response Team believes that the attacker moves from one victim to another using compromised SSH credentials, with intentions to mine Monero.

The targeted hosts are infected with malware and are altered to serve as:
- XMR mining hosts (by running a hidden XMR binary)
- XMR-proxy hosts; The attacker uses these hosts from the XMR mining hosts, to connect to other XMR-proxy hosts and eventually to the actual mining server.
- SOCKS proxy hosts (running a microSOCKS instance on a high port) ; The attacker connects to these hosts via SSH, often from Tor. MicroSOCKS is used from Tor as well.
- Tunnel hosts (SSH tunneling) ; The attacker connects via SSH (compromised account) and configure NAT PREROUTING (typically to access private IP spaces).

The Tactics

TOR or the compromised hosts are leveraged to connect to SOCKS proxy servers.
Among various other techniques, the attackers also use a malicious Linux Kernel Module to cover up their activities.
SSH credentials are stolen to gain access to the hosts. Although it is not known how the attackers steal the credentials, some victims have been able to find compromised SSH binaries.
To avoid detection, the XMR activity has been configured in a way that it operated only at night.

/home/*/.mozilla/xdm

/tmp/.dbs*

/tmp/.lock

/tmp/aes.tgz

/tmp/db.tgz

/tmp/dbsyn*

/tmp/reserved

/tmp/systemdb

/tmp/updatedb

/tmp/check_power

/var/tmp/.lock/clogs

/var/tmp/.lock/cpa.h

/var/tmp/.lock/ologs

/wlcg/arc-ce1/cache/.cache

/apps/.ior/read/.terma

/apps/.ior/read/.termb

/etc/fonts/.fonts (suid binary for privileged escalation (contains `setgid(0);setuid(0);execl(‘/bin/bash/’, {‘bash’, NULL}, NULL)`)

/etc/fonts/.low (Log cleaner, capable of removing logs and entries matching specific users (during some time period) in most log files)

/tmp/hdshare

/tmp/readps

/usr/bin/on_ac_power

/usr/lib/libocs.so

/usr/lib64/.lib/l64

/usr/share/aldi.so

/usr/share/sos/

/usr/share/sos/rh.pub

/usr/share/sos/rh.pub

/var/tmp/.lock

/etc/terminfo/.terma

/etc/terminfo/.termb

$HOME/.mozilla/plugins/.fonts

$HOME/.mozilla/plugins/.low

$HOME/.mozilla/plugins/.aa

$HOME/.mozilla/plugins/test

/usr/lib64/.lib/l64

/var/games/.terma

Indicators of Compromise

Network Indicators
IP	Comment	Role in Attack
91.196.70.109	XMR mining server	Coordinate the XMR activity
149.156.26.227	Victim server andromeda.up.krakow.pl	Malicious IP used for SSH logins + running SOCKSproxy
149.156.26.56	Victim server vega.up.krakow.pl	Malicious IP used for SSH logins + running SOCKS proxy
142.150.255.49	Victim desktop UTORONTO	Source for attack on .ca hosts
159.226.234.29	Victim server at CAS, China	Malicious IP used for SSH logins + running SOCKS proxy
149.156.26.227	Andromeda.up.krakow.pl (host now cleaned)	Malicious IP used for SSH login
202.120.32.231	Shanghai Jiaotong University	IP used for SSH logins
202.120.58.243	Shanghai Jiaotong University	IP used for SSH logins
202.120.58.244	Shanghai Jiaotong University	IP used for SSH logins

IP	Comment	Role in Attack
2001:da8:8000:6300:199:433c:16c7:c668	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300:1c22:6545:295d:f55c	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300:1cc4:148e:4368:1d2c	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300:6c46:cb5b:f478:185e	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300:7925:5377:34a8:e4b3	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300:8c84:868e:9c5d:3322	Shanghai Jiaotong University	IP used for SSH logins
2001:da8:8000:6300::/64	Shanghai Jiaotong University	IP used for SSH logins
159.226.161.107	CSTNET, China	Malicious IP used for SSH login
159.226.234.29	CSTNET, China	Malicious IP used for SSH login

List of TOR hosts (SOCKS Proxy users)
51.77.135.89 (also used for malicious SSH logins)
51.15.177.65
51.75.52.118
51.75.144.43
51.79.53.139
51.79.86.181
212.83.166.62

List of suspected hosts

159.226.88.110 (CSNET, China. TCP/44300 access from krakow.pl): Being investigated by CSTCERT

159.226.62.107 (CSNET, China. HTTPS access from krakow.pl): Compromised (XMR mining) and reinstaled by the admin ~2020-05-08

159.226.170.127 (CSNET, China. TCP/21 access from krakow.pl): Being investigated by CSTCERT

132.230.222.12 (Uni-Freiburg. SSH access from krakow.pl): Investigated (malicious SSH binaries found) (not clear if they are involved in this or just 20200512)

192.154.2.203 (UCLA, USA. SSH access from krakow.pl): Notified.

129.49.37.67 (SUNYSB, USA. Access from a SOCKS proxy): Notified.

Be informed about these Threats in your Inbox

Subscribe now

Malicious crypto miners compromise academic data centers

The Attack

The Tactics

File Details

Indicators of Compromise

Network Indicators

IP

Comment

Role in Attack

IP

Comment

Role in Attack

List of TOR hosts (SOCKS Proxy users)

List of suspected hosts

Be informed about these Threats in your Inbox