Threat Research

“Exploring Linux Malware, Crypto Mining, and Gambling API Exploits: A Study by Elastic Security Labs”

Securonix

Elastic Security Labs uncovered a sophisticated Linux malware campaign in March 2024 that targeted vulnerable servers by exploiting Apache2, deploying KAIJI and RUDEDEVIL for DDoS and cryptocurrency mining, and enabling stealthy persistence and C2 channels. The operation leveraged Telegram and GSOCKET for covert communications and showed signs of money laundering via compromised hosts and gambling APIs. #KAIJI #RUDEDEVIL

Keypoints

  • Initial Access: Attackers compromised a server by exploiting an Apache2 web server.
  • Malware Deployment: KAIJI (DDoS) and RUDEDEVIL (cryptocurrency miner) were used alongside custom malware.
  • Persistence Mechanisms: Cron jobs, GSOCKET, and modifications to system files for maintaining access.
  • Command and Control: Telegram and GSOCKET used for stealthy communication.
  • Financial Activities: Investigated mining schemes linked to gambling APIs and XMRIG configuration.
  • Privilege Escalation: Attempted to exploit CVE-2021-4034 (pwnkit) for elevated access.
  • Detection and Prevention: Recommendations include updates to detection rules, log monitoring, and WAF implementation.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access by exploiting Apache2. ‘Exploited vulnerabilities in Apache2 web server to gain initial access.’
  • [T1059] Command and Scripting Interpreter – Used Unix Shell and Python scripts for executing commands and downloading malware. ‘Used Unix Shell and Python scripts for executing commands and downloading malware.’
  • [T1053] Scheduled Task/Job – Cron – Created cron jobs for persistence and executing malicious scripts. ‘Created cron jobs for persistence and executing malicious scripts.’
  • [T1546] Event Triggered Execution – Modified Unix shell configurations for triggering malware execution. ‘Modified Unix shell configurations for triggering malware execution.’
  • [T1068] Exploitation for Privilege Escalation – Attempted to exploit CVE-2021-4034 for gaining root privileges. ‘Attempted to exploit CVE-2021-4034 for gaining root privileges.’
  • [T1140] Deobfuscate/Decode Files or Information – Decrypted configuration data for C2 communication. ‘Decrypted configuration data for C2 communication.’
  • [T1070] Indicator Removal – Used timestomping to erase traces of malware execution. ‘Used timestomping to erase traces of malware execution.’
  • [T1071] Application Layer Protocol – Utilized web protocols for command and control communication. ‘Utilized web protocols for command and control communication.’
  • [T1496] Resource Hijacking – Leveraged compromised servers for cryptocurrency mining activities. ‘Leveraged compromised servers for cryptocurrency mining activities.’
  • [T1027] Obfuscated/Encoded Files or Information – Obfuscated/Encoded File. ‘Obfuscated/Encoded File.’
  • [T1222] File and Directory Permissions Modification – Linux and Mac File and Directory Permissions Modification. ‘Linux and Mac File and Directory Permissions Modification.’
  • [T1564] Hide Artifacts – Hidden Files and Directories. ‘Hidden Files and Directories.’
  • [T1036] Masquerading – Masquerade Task or Service. ‘Masquerade Task or Service.’
  • [T1587] Develop Capabilities – Malware. ‘Malware.’
  • [T1588] Obtain Capabilities – Tool. ‘Tool.’
  • [T1608] Stage Capabilities – Upload Malware; Upload Tool. ‘Upload Malware’; ‘Upload Tool.’
  • [T1057] Process Discovery – Process Discovery. ‘Process Discovery.’
  • [T1082] System Information Discovery – System Information Discovery. ‘System Information Discovery.’
  • [T1061] System Network Configuration Discovery – System Network Configuration Discovery. ‘System Network Configuration Discovery.’
  • [T1049] System Network Connections Discovery – System Network Connections Discovery. ‘System Network Connections Discovery.’
  • [T1007] System Service Discovery – System Service Discovery. ‘System Service Discovery.’
  • [T1119] Automated Collection – Automated Collection. ‘Automated Collection.’
  • [T1005] Data from Local System – Data from Local System. ‘Data from Local System.’
  • [T1132] Data Encoding – Data Encoding. ‘Data Encoding.’
  • [T1105] Ingress Tool Transfer – Ingress Tool Transfer. ‘Ingress Tool Transfer.’
  • [T1573] Encrypted Channel – Encrypted Channel (Symmetric Cryptography). ‘Encrypted Channel; Symmetric Cryptography.’
  • [T1571] Non-Standard Port – Non-Standard Port. ‘Non-Standard Port.’
  • [T1572] Protocol Tunneling – Protocol Tunneling. ‘Protocol Tunneling.’
  • [T1102] Web Service – Web Service. ‘Web Service.’
  • [T1496] Resource Hijacking – Resource Hijacking. ‘Resource Hijacking.’

Indicators of Compromise

  • [IP Address] Command-and-control/file-server hosts – 107.178.101.245, 62.72.22.91, 91.92.241.103, 61.160.194.160
  • [Domain] C2 and hosting domains – gcp.pagaelrescate.com, nishabii.xyz
  • [SHA-256] Malware/file hashes – 72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f (SystemdXC), 82c55c169b6cb5e348be6e202163296b5d80fff2be791c21da9a8b84188684 (apache2_unpacked), 0fede7231267afc03b096ee6c1d3ded479b10ab235e260120bc9f68dd1fc54dd (apache2_upx_packed)
  • [URL] Download/command URLs – http://107.178.101.245:5488/l64, http://107.178.101.245:5488/l86
  • [File Name] Sample files – l64, l86, 00.sh, RUDEDEVIL/LUFICER samples (e.g., SystemdXC)

Read more: https://www.elastic.co/security-labs/betting-on-bots

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint