Threat Research

Linux – focus on a cryptomining attack dubbed color1337 – TEHTRIS

Securonix

TEHTRIS Threat Hunters document illicit cryptomining activity targeting Linux-based machines, observed on a France-hosted honeypot in January. The campaign, named Color1337, toggles between full-capacity cryptomining using diicot and rebound reconnaissance via a Discord-enabled C2, with Romanian links and attribution to ElPatrono1337. #Color1337 #ElPatrono1337

Keypoints

  • Cryptomining activity on a Linux host (Ubuntu 22.04) observed for under 5 minutes on a honeypot.
  • Two operating modes: FastAndSteady (mine with diicot on high-capacity devices) and SlowAndSteady (rebound reconnaissance when capacity is lower).
  • Initial access is unclear; hypothesis points to SSH brute-forcing and a downloaded shell script (uhQCCSpB) used to commands on the compromised host.
  • The attacker uses a Discord server and webhooks to exfiltrate data and control C2 communications.
  • Two C2/evasion domains and infrastructure include arhivehaceru.com and the IP 45.139.105.222, with multiple Discord webhook endpoints.
  • The actor has Romanian ties; campaign named Color1337 with ElPatrono1337 as an alias; potential links to prior groups/tools.

MITRE Techniques

  • [T1110] Brute Force – After brute forcing SSH credentials, a shell script named uhQCCSpB was downloaded and executed on the infected machine. “[brute forcing SSH credentials]”
  • [T1105] Ingress Tool Transfer – The uhQCCSpB script downloads and executes on the host to perform further actions. “[downloaded and executed on the infected machine]”
  • [T1059.004] Command and Scripting Interpreter – The payload is a bash script that runs commands to control the compromised device. “[payload bash script, which, upon execution, performs the following actions]”
  • [T1567.002] Exfiltration to Web Services – The attacker’s Discord webhook is used to store exfiltrated data. “[Discord’s webhooks feature to store exfiltrated data]”
  • [T1053.005] Scheduled Task – Persistence via adding a crontab entry (.5p4rk3l5). “[adds a file named .5p4rk3l5 to crontab]”
  • [T1046] Network Service Scanning – SSH scans observed as the initial access mechanism. “[TEHTRIS NTA detects SSH scans, which is the initial access]”
  • [T1078] Valid Accounts – The payload contains decoded base64 credentials used to potentially access other devices. “[Decoded from base 64: …]”
  • [T1046] Network Service Scanning – Chrome port scanner (Chrome) used to enumerate targets; a Linux port scanner first seen in 2018. “[Chrome is a Linux Port scanner first seen in 2018]”

Indicators of Compromise

  • [IP Address] Network infrastructure – 185.225.74.231, 45.139.105.222, 139.99.123.196
  • [Domain] Command-and-Control domain – arhivehaceru.com
  • [URL] Discord webhooks – https://discord.com/api/webhooks/1036225255049531422/qyOrT3SxHaOC9yS2NQiPxlSMYmRFFIpU-rMKzmcDv9pQyP4uaZEiZXDXioUtf0DJLUB, https://discord.com/api/webhooks/965651135102865479/PFdU4u8yZrn0XhzIKShcaxL3_IaBjsstYmFEXlThF2_1XCnwXSAjKos3ptwKYpPyGqvI, https://discord.com/api/webhooks/1036206037373571082/9bs01KrT-TrcbSAPI_iadV1Bhn56A4X4fxzCYEw3zMq95H1mFvlKWb6-KYzvEoVfTnS
  • [SHA256] Cryptomining payload components – 0314f688409e3caf1e6d0198bfff3a129e14cb0c623150ba3e29581fba6491d1, e582428a5be24a1eb9eb80566a57bd0cb0431110d3c07b5ce9edd5544a3ef1b4, 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a, cc0b01955db20101f93771f81a9fa6ab7c091cac8435529996020d4f3932a3e7, e9bbe9aecfaea4c738d95d0329a5da9bd33c04a97779172c7df517e1a808489c, 6d1fe6ab3cd04ca5d1ab790339ee2b6577553bc042af3b7587ece0c195267c9b
  • [File Name] Files used in the attack – system-cleaner.pl, cleaner.pl, payload, bios.txt, diicot, Update, Chrome, aliases, History, UHQCCSpB

Read more: https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337