TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Attackers Use New, Sophisticated Ways to Install Cryptominers

2019-10-01 · Read original ↗

ATT&CK techniques detected

11 predictions
T1098.004SSH Authorized Keys
97%
“following steps : - searching and killing competing processes. - checking to see if the ssh key is installed already, and if not, adding it to the “ authorized _ keys ”. - checking to see if the malware running as root. - installing the same crontab job figure 20. functionality f…”
T1059.004Unix Shell
87%
“run all the time. along with rising electric bills, this means your computer would be running at full speed all the time. this can cause heat damage to hardware and slower performance for applications. if applications aren ’ t properly saving due to space constraints or backing u…”
T1053.003Cron
74%
“- - campaign - deploys - a - new - miner - malware. html ) of other cryptominers. this is probably an attempt to remove it. figure 12. the ntp script clearing the / etc / host file another unique feature of this comprehensive malware is that it looks for different linux distribut…”
T1204.002Malicious File
54%
“the crypto miner the goal of this malware is to execute a cryptocurrency miner. in the process of doing this, first the “ main ” script checks to see if the server was previously compromised by the same campaign. if it was, the script deletes the old miner. figure 24. the " main …”
T1059.006Python
52%
“file using the password " no - password " once unzipped, the file exposes a cryptocurrency miner that will work on the target system — specific to the architecture designated above. figure 26. the unzipped file exposes a cryptocurrency miner the “ main ” script extracts the file,…”
T1190Exploit Public-Facing Application
47%
“keys and install the attacker key if it is missing in the authorized _ keys file. - every half hour, it will download a version of itself and execute it, possibly to make sure it is running the most up - to - date version. figure 32. the first function from the watchdog script th…”
T1204.002Malicious File
47%
“download and remotely execute a malicious cryptominer. references to the specific cves leveraged are in the footnotes. 2 while analyzing this script which downloads and executes the cryptominer, f5 researchers found that the code is sophisticated, well obfuscated, and long — abou…”
T1105Ingress Tool Transfer
44%
“download and remotely execute a malicious cryptominer. references to the specific cves leveraged are in the footnotes. 2 while analyzing this script which downloads and executes the cryptominer, f5 researchers found that the code is sophisticated, well obfuscated, and long — abou…”
T1059.006Python
36%
“##gured redis instances. the tool generates a random ip list and scan it in an attempt to find redis instances. the script then checks to see if each particular redis instance is misconfigured and does not require authentication. if it is possible to log in without authentication…”
T1037.004RC Scripts
36%
“” script attempting to uninstall security utilities next, the “ main ” script, attempts to connect to all other hosts in the ssh “ known _ hosts ” file by using the stored ssh keys on the machine. if it can connect to any of the other “ known _ hosts ”, then it will attempt to ru…”
T1496Resource Hijacking
33%
“the crypto miner the goal of this malware is to execute a cryptocurrency miner. in the process of doing this, first the “ main ” script checks to see if the server was previously compromised by the same campaign. if it was, the script deletes the old miner. figure 24. the " main …”

Summary

How a Jenkins dynamic routing vulnerability becomes an attacker’s infection vector for installing and executing a cryptominer.