Keypoints
- SSH-SNAKE is a self-modifying worm that harvests SSH credentials and shell history to propagate; its C2 server stores outputs and victim IPs, indicating ~300 victims and likely initial access via Confluence exploits.
- RUBYCARP is a long-running Romanian botnet using public exploits and brute-force attacks, operating via IRC, and monetizing via cryptomining, DDoS, and phishing (including credit-card targeting).
- SCARLETEEL targets cloud environments (including AWS Fargate and Kubernetes), exploiting misconfigured AWS policies to escalate to AdministratorAccess and deploy cryptominers and data-theft capabilities.
- AMBERSQUID is a cross-service cloud cryptojacking campaign that abuses uncommon AWS services (Amplify, Fargate, SageMaker) to evade static image scanning and cause high daily costs to victims.
- The MESON campaign used compromised cloud accounts to spin up thousands of nodes (running meson_cdn/gaganode) to profit from a blockchain-based CDN, creating significant billing and token-reward opportunities for attackers.
- LABRAT emphasizes stealth and defense evasion using undetected compiled Go/.NET binaries, kernel rootkits, proxyjacking, and abuse of legitimate services like TryCloudFlare for C2 obfuscation.
- Sysdig published detection content and runtime rules for identified issues, notably a runtime rule for CVE-2024-3094 (backdoored liblzma loaded into sshd) and an experimental Falco rule to detect suspicious chdir to /proc/self/fd/ (related to container escape CVEs).
MITRE Techniques
- [T1021.002] Remote Services: SSH – SSH-SNAKE “leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network.”
- [T1552.001] Credentials in Files – SSH-SNAKE “automatically searches through known credential locations and shell history files to determine its next move.”
- [T1078] Valid Accounts – SSH-SNAKE uses harvested credentials to access additional systems (‘the output of SSH-Snake contains the credentials found’).
- [T1190] Exploit Public-Facing Application – Attackers are “actively exploiting known Confluence vulnerabilities in order to gain initial access.”
- [T1071] Application Layer Protocol – Threat actors maintained a “command and control (C2) server … holds a repository of files containing the output of SSH-Snake” for operations and exfiltration.
- [T1110] Brute Force – RUBYCARP “deployed using a variety of public exploits and brute force attacks.”
- [T1566] Phishing – RUBYCARP performs phishing operations and “has been seen targeting credit cards.”
- [T1496] Resource Hijacking – Multiple campaigns deploy cryptominers and cloud nodes, e.g., AMBERSQUID and SCARLETEEL caused estimated losses (“more than $10,000/day”, “over $4,000 per day”).
- [T1090] Proxy – LABRAT “abused a legitimate service, TryCloudFlare, to obfuscate their C2 network.”
- [T1014] Rootkit – LABRAT used “kernel-based rootkits to hide their presence.”
- [T1027] Obfuscated Files or Information – LABRAT used “undetected compiled binaries, written in Go and .NET,” to evade signature-based detection.
Indicators of Compromise
- [CVE] referenced vulnerabilities – CVE-2024-3094, CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
- [Filenames / Binaries] malicious runtime artifacts – meson_cdn, gaganode
- [Victim IPs] C2-hosted victim indicators – filenames on the C2 server included IP addresses of victims (approx. 300 victim entries)
- [Cloud services abused] targeted resources and services – AWS Amplify, AWS Fargate, Amazon SageMaker (AMBERSQUID), and AWS accounts used to launch Meson nodes
- [Service abuse for C2] legitimate services used to hide traffic – TryCloudFlare (LABRAT C2 obfuscation)
SSH-SNAKE is a self-modifying worm that harvests SSH credentials and shell history from compromised hosts, then uses those credentials to move laterally via SSH. Sysdig analysts located the attackers’ C2 server, which stores per-target output files containing harvested credentials, victim IP addresses and bash history; many filenames indicated victims running Confluence, supporting an assessment that known Confluence exploits are a frequent initial access vector.
Other operations show similar cloud-focused techniques: RUBYCARP uses public exploits and brute-force to build a botnet (communicating over IRC) and monetize via cryptomining, DDoS, and phishing; SCARLETEEL exploited cloud compute and an AWS policy misconfiguration to escalate to AdministratorAccess, target Kubernetes for scale, and deploy cryptominers; AMBERSQUID runs cross-service cryptojacking by abusing less-monitored AWS services (Amplify, Fargate, SageMaker), evading static image scanners and inflating victim billing.
The MESON campaign used a compromised cloud account to spawn thousands of Meson network nodes and execute meson_cdn/gaganode binaries to harvest token rewards and incur large billing costs. LABRAT prioritized stealth—using undetected Go/.NET binaries, kernel rootkits, proxyjacking, and legitimate service abuse (TryCloudFlare) to hide C2—requiring deep runtime visibility for detection. In response, Sysdig published runtime detections including a specific rule for CVE-2024-3094 (backdoored liblzma loaded into sshd) and an experimental Falco rule to flag suspicious chdir events using /proc/self/fd/ indicative of runc/container-escape attempts.
Read more: https://sysdig.com/blog/sysdig-threat-research-team-rsa-2024/