Threat Research

Exposed Jupyter Notebooks Targeted to Deliver Cryptominer

CadoSecurity
Exposed Jupyter Notebooks Targeted to Deliver Cryptominer

Cado Security Labs uncovered a new cryptomining campaign that exploits misconfigured Jupyter Notebooks across Windows and Linux systems. This campaign employs a series of executables, scripts, and binary downloads to install cryptominers targeting various cryptocurrencies. Affected: Jupyter Notebooks, Windows systems, Linux systems, cloud environments

Keypoints :

  • A cryptomining campaign utilizes Jupyter Notebooks, targeting Windows and Linux.
  • The campaign is launched through misconfigured Jupyter notebooks.
  • Attackers utilize bash scripts and MSI installer files to deploy their malware.
  • A 64-bit executable named Binary.freedllbinary loads a secondary payload, java.exe.
  • The campaign retrieves additional payloads from GitHub, launchpad, or Gitee.
  • Successful decryption of the payload leads to the deployment of a cryptominer.
  • Multiple cryptocurrencies are targeted by the miner, including Monero and Ravencoin.
  • The operation includes setting cron jobs for automatic execution of the binaries.
  • Similar tactics have been observed in previous campaigns targeting cloud environments.

MITRE Techniques :

  • T1059.004 – Command and Scripting Interpreter: Bash – Utilization of bash scripts to execute commands on the system.
  • T1218.007 – System Binary Proxy Execution: MSIExec – Installation of malicious executables through MSI files.
  • T1053.003 – Scheduled Task/Job: Cron – Setting up cron jobs for regular execution of binaries.
  • T1190 – Exploit Public-Facing Application – Exploitation of Jupyter Notebooks as a vector for malware delivery.
  • T1027.002 – Obfuscated Files or Information: Software Packing – Use of packed binaries to obscure the malware.
  • T1105 – Ingress Tool Transfer – Transfer of tools from external sources (e.g., GitHub) to the target system.
  • T1496 – Resource Hijacking – Using compromised systems to mine cryptocurrency.
  • T1070.004 – Indicator Removal on Host: File Deletion – Self-deletion of malicious binaries after execution.
  • T1559.001 – Inter-Process Communication: Component Object Model – Utilization of COM for payload execution.

Indicator of Compromise :

  • [File] Binary.freedllbinary
  • [File] java.exe
  • [URL] https://github[.]com/freewindsand/test/raw/refs/heads/main/a.msi
  • [IP Address] 45[.]130[.]22[.]219
  • [Hash] 090a2f79d1153137f2716e6d9857d108

Full Story: https://www.cadosecurity.com/blog/jupyter-notebooks-cryptominer