AMBERSQUID is a cloud-native cryptojacking operation that abuses AWS services such as Amplify, Fargate, and SageMaker to mine cryptocurrency at scale, often without triggering resource approvals. The operation demonstrates how attackers can leverage multiple cloud services for cryptomining and High-cost incidents, potentially costing victims thousands per day. #AMBERSQUID #AWSAmplify
Keypoints
- Sysdig’s Threat Research Team uncovers AMBERSQUID, a cloud-native cryptojacking operation using AWS services like Amplify, Fargate, and SageMaker.
- The operation can cost victims more than $10,000 per day by spanning multiple AWS services rather than just abusing EC2.
- Attackers push miners through Docker Hub images, private CodeCommit repositories, and GitHub activity to keep the operation contained within AWS.
- The campaign appears Indonesian in origin, with scripts and usernames in Indonesian language.
- AMBERSQUID uses a chain of scripts (amplify-role.sh, repo.sh, jalan.sh, update.sh, ecs.sh, ulang.sh) to create IAM roles, attach broad policies, and deploy miners across Amplify, ECS/Fargate, CodeCommit, CodeBuild, CloudFormation, and SageMaker.
- Malicious images (notably delbidaluan/epicx) and a large “epicx” download footprint drive the mining payload, with miners loaded from repository releases.
MITRE Techniques
- [T1036] Masquerading – The miner binary is packed with UPX and malformed to hinder analysis; “The ‘test’ binary is a cryptominer, which was packed with UPX and malformed in order to make analysis more difficult.”
- [T1059] Command and Scripting Interpreter – The container entrypoint starts with scripts that configure AWS credentials and orchestrate miner execution: “The ENTRYPOINT of the Docker image is entrypoint.sh… the execution starts with the following:
aws –version aws configure set aws_access_key_id $ACCESS …” - [T1583] Acquire Infrastructure – Attackers create IAM roles (e.g., AWSCodeCommit-Role) and attach broad policies to enable access to Amplify, CloudWatch, CodeCommit, and SageMaker.
- [T1496] Resource Hijacking – The operation mines cryptocurrency across multiple AWS services, costing victims money per day: “AMBERSQUID… can cost victims more than $10,000/day.”
Indicators of Compromise
- [Docker Hub account] delbidaluan, tegarhuta, rizal91, krisyantii20, avriliahasanah, buenosjiji662, buenosjiji, dellaagustin582, jotishoop, nainasachie, rahmadabdu0, robinrobby754 – Docker Hub accounts linked to AMBERSQUID activity
- [Container image] delbidaluan/epicx – miner image used in the operation
- [Domain / IP] epicmine.io, lt.epicmine.io, and 74.50.74.27:4416 (mining pool IP/port)
- [Wallet addresses] Zephyr wallet (ZEPHYR2vyrpcg2e2sJaA88EM6aGaLCBdiYfiHffrs5b3Fa4p1qpoEPH4UabmhJr5YYF7CxJykLTJmESQWaB9ARNuhb6jvptapVq3v); Monero addresses (2miners, etc.) – and 3 more addresses listed
- [CodeCommit repository] AWS CodeCommit repository named “test” used to host Amplify app source code
- [Container image repo] Epicx/epicx-related images with large download counts (e.g., epicx image with over 100,000 downloads)
Read more: https://sysdig.com/blog/ambersquid/