Emerging Cryptocurrency Mining Campaign Takes Aim at Linux Systems and IoT Devices

Emerging Of Cryptocurrency Mining Attackers targets Linux systems and IoT devices.

With the rapid Emerging of Cryptocurrency Mining attackers have initiated a recent campaign focusing on Internet-facing Linux systems and Internet of Things (IoT) devices. Their aim is to clandestinely mine cryptocurrency without the knowledge or consent of the owners.

To accomplish this, the attackers employ a backdoor that installs various tools, including rootkits and an IRC bot. These tools allow them to steal device resources for their mining operations.

According to Microsoft threat intelligence researcher Rotem Sde-Or, the attackers are using advanced techniques to compromise vulnerable systems and exploit their computing power for cryptocurrency mining.

How to Minimize Risk ?

To protect against such attacks, it is important for individuals and organizations to stay vigilant. This includes regularly updating and patching systems, using strong passwords, and implementing effective intrusion detection systems. Taking these precautions can reduce the risk of falling victim to illicit cryptocurrency mining campaigns.

The attackers use a backdoor that not only steals resources for mining, but also installs a modified version of OpenSSH. This patched OpenSSH enables them to take over SSH credentials, move around the network, and establish hidden malicious SSH connections.

To carry out this scheme, the attackers first target misconfigured Linux hosts through brute-force methods. Once they gain initial access, they proceed to disable shell history and retrieve a tampered version of OpenSSH from a remote server.

The attackers specifically design the altered OpenSSH package to install and activate the backdoor—a shell script that enables them to distribute additional payloads and perform various post-exploitation actions.

image belog to the hacker news

How it work ?

The backdoor performs multiple actions to ensure persistence and concealment. It steals device information, installs rootkits (Diamorphine and Reptile), and clears logs. It also adds SSH access for itself, terminates competing mining processes, and runs a modified DDoS client (ZiggyStarTux) based on Kaiten/Tsunami.

Moreover, the attacks utilize a subdomain of a Southeast Asian financial institution for their command-and-control (C2) communications, aiming to mask the malicious traffic.

Additionally, Microsoft’s findings align with a recent report by AhnLab Security Emergency Response Center (ASEC), which uncovered similar attacks targeting Linux servers with crypto mining malware and a variant of the Tsunami botnet called Ziggy.

Furthermore, the recent operation has been linked to a perpetrator named asterzeu, who offers the toolkit for sale on the malware-as-a-service market. Notably, the complexity and extent of this attack highlight the lengths attackers go to avoid detection, as emphasized by Sde-Or.

Meanwhile, security vulnerabilities in routers, digital video recorders, and other network software are actively exploited by threat actors to deploy the Mirai botnet malware, as reported by Akamai and Palo Alto Networks Unit 42.

Moreover, researchers from Unit 42 have stated that the Mirai botnet, discovered in 2016, remains active to this day. The appeal of Mirai to threat actors primarily arises from the security flaws found in IoT devices.

Additionally, these vulnerabilities, which enable remote code execution on IoT devices, possess a combination of simplicity and significant impact, thereby making them an irresistible target for threat actors, for more updates