Researchers Raise the Alarm on the Linux Cryptojacking Campaign

Romanian threat activity aimed at Monero mining uncovered by security researchers

July 28, 2021, 1:08 p.m.

TL;DR

Bitdefender security researchers have uncovered threat activity originating back to at least 2020. The Romanian threat actors' perceived objective is to infect Linux systems with Monero mining malware.

They have always been the Achilles heel of security-fortified systems.

Key Facts

1
SSH machines written in Golang have been reported as prime targets.
2
The report has ascertained Dilicot brute as the password cracking software.
3
It is believed that they have bags of underhanded tricks they use to maintain a low profile.

Details

An acclaimed cybersecurity firm, Bitdefender, has released reports of a cryptojacking campaign investigation that went underway in the second quarter of the year 2021. It is quite disturbing that an activity bearing such a level of significance and threat has managed to slip under the radar of security operatives for so long. The Romanian threat group is believed to have begun operation from "at least '' 2020, as reported by the researchers. The indefinite phrase "at least" leaves surmises that this campaign could have been underway from an earlier date.

Bitdefender has attributed the two DDoS botnets, such as the Perl IRC bot and Chernobyl, to the cybercriminal gang. Their similarity is the XMRig mining payload downloaded in February 2021.

Bitdefender reported that the cryptojacking campaign was targeted at Linux servers and further detailed that they were targeting in-server machines with weak credentials. Though their goal is to inject Monero mining applications, they could also instrument other kinds of attacks.

Having a go at weak targets is common practice in any warfare or assault is common logic and is not strange considering past events, default access details, or weak credentials would prove no challenge for actors using brute-force tactics. They have always been the Achilles heel of security-fortified systems. This aspect would be split into three sections - reconnaissance, credential access, and initial access, each with an entirely different set of tools.

Executing these brute-force attacks would have been a walk, but doing it for so long undetected would require ingenious methods and high-end tools. In Bitdefender's report, the threat group has many underhanded methods they deploy to maintain secrecy. Their primary technique for secrecy is well-known amongst malicious actors and their purgers (SecOps). They compile Bash scripts with a shell script compiler (shc); the next stage uses Discord to send the information back.

Bringing Discord into the operation is not only beneficial for security evasion, but it also serves as an insuperable threat to Command and Control servers.

Investigation revealed that the Romanian group did not stop at traditional tools like zmap, masscan, Discord, they used Dilicot Brute as their password cracking tool. They also used a previously undocumented SSH brute-forcer written in Golang. This tool operates as a software-as-a-service model. Each malicious actor infused their script with an API key.

The endgame is cryptojacking, in this case: Monero. Mining Monero is so slow and tedious and is essentially a waste of time if done on a low scale. Using multiple systems would be more productive, but expensive proving to be a waste of resources at the end of the day. So these actors chose this path of using compromised devices to mine for them instead.