Threat Research

SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto

Securonix

SCARLETEEL 2.0 expands into AWS Fargate and Kubernetes, refining its cloud-focused toolkit to steal credentials, escalate privileges, and mine cryptocurrency while evading newer security controls. Sysdig Threat Research Team documents a more resilient C2 architecture, updated tooling, and the addition of DDoS-as-a-Service components using Pandora malware. Hashtags: #SCARLETEEL #Fargate #Kubernetes #CryptoMining #Pacu #peirates #IMDSv2 #Pandora #Mirai

Keypoints

  • SCARLETEEL 2.0 targets cloud environments (AWS and Kubernetes), expanding its footprint beyond prior operations.
  • Attack chain includes compromising AWS accounts via vulnerable compute services, gaining AdminAccess, and spawning mining activity.
  • Credentials theft leverages IMDS (v1 and v2) and other locations to harvest AWS keys and tokens for further access.
  • AWS CLI and Pacu are used to discover and exploit privileges, including privilege escalations within the victim’s AWS account.
  • The group targets Kubernetes with peirates to access secrets, pods, and namespaces, broadening their reach in container environments.
  • Cryptomining (and a DDoS angle via Pandora) is used for monetary gain and to monetize compromised resources.

MITRE Techniques

  • [T1552.003] Cloud Credentials – Credentials in cloud environments are targeted; IMDSv2 is used to retrieve a token and then use it to retrieve the AWS credentials. Quote: ‘IMDSv2 in order to retrieve the token and then use it to retrieve the AWS credentials.’
  • [T1068] Privilege Escalation – Escalation to Admin in the victim’s AWS account and spin up EC2 instances running miners. Quote: ‘Escalation to Admin in the victim’s AWS account and spin up EC2 instances running miners.’
  • [T1105] Ingress Tool Transfer – The attacker downloaded and executed Pandora (Mirai botnet) as part of the attack. Quote: ‘downloaded and executed Pandora, a malware belonging to the Mirai Botnet.’
  • [T1059.004] Unix Shell – Exfiltration uses shell built-ins instead of curl or wget, a stealthy method to exfiltrate data. Quote: ‘using shell built-ins to accomplish this instead of curl.’
  • [T1041] Exfiltration Over C2 Channel – Credentials are sent to external C2 endpoints as Base64 data. Quote: ‘sends the Base64 encoded stolen credentials to the C2 IP Address.’
  • [T1562.004] Disable or Modify Network Access Controls – The actor disables protections by setting the firewall to fully permissive rules. Quote: ‘set the firewall to make them fully permissive.’
  • [T1087] Account Discovery – After gaining admin access, the attacker creates new users and a new set of access keys for all users in the account, including admins. Quote: ‘created new users and a new set of access keys for all the users in the account, including admins.’

Indicators of Compromise

  • [Domain] C2/Exfiltration domains – hb.bizmrg.com, mcs.mail.ru/storage, and temp.sh
  • [IP Address] Exfil/C2 endpoints – 175.102.182.6, 45.9.148.221, and 5.39.93.71:9999
  • [IP Address] Credential/Token access helper – 169.254.170.2

Read more: https://sysdig.com/blog/scarleteel-2-0/