By Lateef Hamzat, John Olatunde and Awwal Ishiaku
Our experience in the last few months has shown a high rise in Crypto-mining malware in Nigeria. Our team has encountered several variants of such malware during our MSSP deployment for clients across sectors like energy, telecommunication and various government parastatals. We will take you through what some of these experiences look like and what to do to prevent them.
In the close of 2019, during an MSSP Onboarding Process for an Energy Company. We noticed suspicious activity via our Cyber-Technologies Tools deployed indicating a heavy Powershell usage in the environment that tends to halt legitimate process from running critical business applications. This was first identified on a single server within the network, but due to CyberDome Technology Stacking approach, we were able to identify that twelve (12) more servers which are critical to business have already been infected, all running Microsoft Windows.
Before CyberDome’s Team arrival at the site, they have tried to devise a mean of fighting this situation, since the IT Team thinks it is a technical problem they can just handle (managed) by killing the Powershell every time it rises up to consume CPU usage of which our findings later indicate the malicious actors have scheduled this activity to take place every hour. They tried to reload the operating system of one of the affected servers before our arrival, but it was a surprise to notice the same activity on the server after 3 hours when added back to the network.
Our investigation reveals a vulnerability existed on the network, on which the malicious actors have leveraged in their case and the primary goal of this malicious campaign is Cryptomining by hijacking the CPU resources for its gain and propagating itself to other systems. Further analysis shows the possibility for threat actors to leverage this malware to exfiltrate, destroy, or ransom sensitive data on critical systems at any time. There are indications of Pass-The-Hash Technique activity on their network as many usernames and password were enumerated.
With zero visibility, this affected organization can’t tell what their real problem is, as they kept thinking it is a technical problem IT can fix. While fixing it their own way, the threat actor has harnessed a 24/7 Internet Access, Power and Computing Resources of this organization to mine cryptocurrency.
This is just one of the many cases in Nigeria today. Many organization’s IT infrastructure has been owned by attackers and they are heavily contributing to the money this threat actors can make in cryptocurrency value every year.
It is on this note, we will reveal this variant of Shellbot Malware we recently came across in an Internet Company (part of CyberDome’s SOC Constituents) targeting Linux and Unix-based operating systems, vulnerable servers, and internet of things (IoT) devices by exploiting known vulnerabilities with available exploits.
The malicious activity of this malware was first noticed by our Security Analysts at the affected organization after a multitude of outbound SSH connections from the compromised server was recorded, indicating server being used as a platform to launch SSH brute force attacks against other servers on the Public Internet. Approximately 2 million SSH connections per day were recorded by the compromised server as indicated in Figure 1 below.
Compromised servers are quickly mapped by Shodan as an Internet Scanner (Malicious) because of this enormous outbound SSH connection.
CyberDome Security Analysts notified the affected customer and analyzed the incident further to determine what is on the compromised server that may warrant this malicious behaviour and further remediate it.
This activity was eventually traced back to a program called tsm, which was invoked with the command timeout 24h ./tsm -t $threads -f 1 -S 9 -p 0 -d 1 p ip. in a shell script called go as seen in the figure 2 below. The arguments p and ip are passwords and IP lists of systems to be compromised respectively, they were downloaded renamed and then passed to tsm command which is the module responsible for the anomalous outbound SSH connections.
Digging deeper, we found using the CyberDome Security Platform that the malware consists of 3 components. These are the Cryptominer Component, the Command and Control (C2) component and an SSH Brute Force component as well as several other payloads used by the malware.
In order to ensure all root causes were identified and application of proper remediation, all of the malware components were collected and analysed in the CyberDome Lab to find out how it works. Research also indicated this Malware campaign is by the popular Outlaw group with an improved evasion technique for scanning activities, and improved mining profits by killing off both the competition and their own previous miners.
These components are discussed in this section as uncovered by the IR Team.
The Cryptominer component consists of 2 files, these are named: cron and anacron. These two files are being involved by the script called run as seen in Figure 3. cron is the 64bit variant while anacron is the 32bit variant
Submission of the Cryptominer files to Virus Total shows there are 34/58 detections of the cron file, while the anacron file has 23/59 detections. These shows the files are highly malicious. The excerpt from the virus total report on the cron file is seen in Figure 4.
Command and Control
The command and control components consist of two files: rysnc and run. rsync is a packed malware written in Perl. This was also identified on VirusTotal as a Perl ShellBot variant, this is seen in Figure 5.
The second C2 component is a binary named run there is no analysis on VirusTotal yet, but the file established persistence by changing the users’ SSH keys to that of the attacker. This is done by removing the user’s .ssh folder and adding its own there. The compromised .ssh key is seen in Figure 6 below
SSH Brute Forcer
The last component of the malware is an SSH brute force tool which consists of two files: the binaries tsm32 and tsm64. Obviously from the names, they are 32bit and 64bit versions of the brute forcer respectively. Figure 7 shows the content of the tsm32 file
The file init0 also attempts to remove other crypto miners from the system before initiating the malware files. This is done so as to get as many resources as possible from the system without any competition. This can be seen in Figure 8.
In the case of this campaign, our findings indicate that the compromised system is being used to scan (outbound SSH connection) for other systems that could be infected on the Internet by the BruteForcer Component so that more computers can be added to the attacker’s botnet infrastructure dedicated for mining cryptocurrency with the Cryptominer component resulting in Resource Hijacking on compromised system. C2 component is to ensure the compromised continuously to be part of the botnet infrastructure and persistent are regained in case of terminated service or process.
Research indicated that at least an approximate of $300 is been made from the campaign daily and the more host infected, the higher this number climb up. How much this worth is also dependent on the worth of Monero (XMR) at any given time.
Research indicated the pattern of this group campaign has remained the same since its operation was first discovered in 2018. Outlaw Group have consistently put to use scripts, codes, and commands that have been previously used and deployed by changing the variants. It also appears that the group is going after enterprises who are yet to patch their systems, as well as companies with internet-facing systems with weak to no monitoring of traffic and activities.
Organizations are advised to embark on patch management, system hardening for legacy systems that cannot be patched, close unused ports, use of secure ports on other internet-facing devices that are regularly open for public access. They can also adopt the service of an MSSP such as CyberDome that will provide a multilayered cyber technology that can protect their users, endpoint and networks through a 24/7 monitoring and incident response capability.
Contained below is the list of Indicator of Compromise (IoCs) observed on the compromised server investigated. Hashes and possible file location for all dropped file by the malware. This information might change from variant to variant but the campaign approach remains the same.
Observed Installation Locations
Malware Campaign Flow Diagram.