Researchers Track Linux Intrusions to Cryptojacking Gang

Bitdefender security researchers have discovered a group of Romanian-based threats active since at least last year targeting Linux-based machines with weak Secure Shell Protocol (SSH) credentials.

Investigators discovered that the group was implementing Monero mining malware that is used to steal cryptocurrencies. That malware also enables other types of attacks, according to Christoph Hebeisen, director of security intelligence research at Lookout, a point-to-cloud security company, which is not associated with the Bitdefender report.

That added functionality can open the door to malicious activities such as information theft, lateral movement or botnets, ”he told LinuxInsider.

The idea that connects the group to the Linux angle is among the latest incidents involving vulnerabilities associated with Linux. The operating system is a top-down, rigorous and secure computing platform. The problem of breaching Linux systems is often related to incorrect settings and user inattention to security issues.

“The current state of Linux security has evolved positively with more visibility and built-in security features. However, like many operating systems, you need to install, configure and manage it with security in mind, as this is how cybercriminals take advantage of human contact, ”said Joseph Carson, chief security scientist and advisory CISO at Thycotic, a provider of identity in the cloud. Security solution that is also not associated with the Bitdefender report, he told LinuxInsider.

Old tricks with new tools

Hackers targeting computers running weak SSH credentials are not uncommon, according to Bitdefender. Blog released July 15. Attacks are easier for hackers because computer operators often use default usernames and passwords or weak SSL credentials.

Hackers can easily overcome those common weaknesses with brute force. The trick for hackers is to do it in a way that allows attackers to go unnoticed, according to Bitdefender.

A brute force attack on cryptography involves an attacker submitting many passwords or passphrases in the hopes of guessing them correctly. Investigators can identify hacker groups by the tools and methods they use.

The number of original tools in this campaign and their complexity indicates that an individual or group with significant abilities created this toolkit, suggested Lookout’s Hebeisen.

“The actors behind cryptojacking campaigns aim to use third-party computing resources to mine cryptocurrencies for financial gain. Crypto mining is very computationally intensive and as such, having cloud instances controlled by cryptojacking can increase cloud costs for the victim, ”Hebeisen said of the need for hackers to compromise a large amount. of personal and business computers.

Tracing the discovery of the attack

The group of threat actors Bitdefender tracked uses traditional hacking tools. The researchers found among the hackers’ toolkit a previously unreported SSH brute force written in the open-source programming language Golang, according to Bitdefender.

The researchers believe that this tool is distributed as a service model, as it uses a centralized application programming interface (API) server. The group’s threat actors provide their API key in their scripts.

“Like most of the other tools in this kit, the brute force tool has its interface in a mixture of Romanian and English. This leads us to believe that its author is part of the same Romanian group, ”noted the Bitdefender cybersecurity blog.


Investigators began investigating this group in May due to its cryptojacking campaign with the same software loader. They then traced the malware to a file server in an open directory that also housed other files and was known to harbor other malware since February.

Security researchers connected the original tools in this hacker software kit to attacks seen in the wild. Most hackers have their favorite methods and techniques. When used often enough, these create a common fingerprint that can be used to digitally track them, according to Thycotic’s Carson.

“The ones that are difficult to trace are the ones who hide behind the stolen code or never use the same methods and techniques again. For each new campaign, they do something completely different, ”he said.

However, attackers who tend to take this path are often well-funded and well-resourced. Most cybercriminals will take the easy route and reuse as many existing tools and techniques as possible.

“It really will depend on whether the attacker cares about being caught or not. The more steps an attacker takes to remain concealed, it tends to mean that he operates within a country that could be prosecuted if discovered, ”he added.

Risky hacker tactics

Most cryptojacking campaigns try to steal energy and computing resources. That motivates threat actors to limit impact so they can stay hidden for as long as possible, according to Carson.

The impact to an organization is that it could affect the performance of business operations and result in a hefty energy bill that, over time, could run into the thousands of dollars. Another risk is that cryptojacking can leave back doors, allowing other cybercriminals to gain access and cause further damage, such as ransomware.

“The techniques that are used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign. The ultimate goal is to mine cryptocurrencies for profit at the expense of others, ”Carson said.


The success or failure of hackers in the malware distribution campaign depends on the people actually running the malware (cryptojacking or otherwise), said Karl Steinkamp, ​​director of PCI products and quality assurance at Coalfire; not associated with the Bitdefender report. The follow-up of the people behind the activities will vary, he noted.

“Some of these bad actors use bulletproof lodging, while others use lodging in places where law enforcement has trouble participating. There are also the bad actors who run operations directly from their main location, and for these select few, it is often trivial to track down and arrest these individuals, ”Steinkamp told LinuxInsider.

Victims galore, once found

Attackers have the advantage to obtain successful attack results. In part, that’s because there is no shortage of compromised Linux machines with weak SSH credentials, Bitdefender noted.

Finding them is where the trick lies.

Attackers conduct their search for victims by scanning network servers for revealing weak SSH credentials. That process happens in three stages, explains the Bitdefender blog.

The attackers host multiple files on the server. These contain toolchains for decrypting servers with weak SSH credentials. Depending on the scenario, the attackers use different tools.

  • The first stage is recognition. Hackers Toolkit identifies SSH servers through port scanning and banner capture. The tools in play here are ps and masscan.
  • The second stage is access to credentials. Hackers identify valid credentials using brute force.
  • The third stage is the initial access. The hackers connect via SSH and run the infection payload.

The hacker group uses 99x / haiduc (both Outlaw malware) and ‘raw’ during the last two stages.

Four keys to staying safe

Cryptojacking can allow bad actors to perform all the traditional aspects of malware, with the added benefits of mining a few iterations of a crypto asset. Depending on the distribution / packaging of the malware and the technical skills of the bad actor, these crypto miners will often target Monero, Ethereum and / or Bitcoin, Steinkamp explained.

Many of these cryptojacking malware packages are sold on underground sites to allow rookie and expert bad actors to participate in similar ways. Gaining administrative access to one or more Linux hosts via SSH, system, or application vulnerabilities will allow them a foothold in attempting to compromise the host and then spreading laterally and vertically within the organization, he said.

“Organizations that have strong configuration management, alerts, log management, file integrity, and incident response will generally respond better to a malware infection such as cryptojacking,” Steinkamp offered when asked about protection efforts for thwart such attacks.


If a cryptojacking malware is based on a similar malware family or instances of code reuse in malware, antimalware rules and heuristics will likely detect newer cryptojacking variants of malware, he continued.

The presence of cryptojacking malware to try to hide itself using shell script compilers is easily reversed using free tools found on Github, allowing security teams to decompile x86, x64, MIPS, and ARM-based malware.

In terms of bad actors using a different command and control (C2) mechanism for information presentation, it’s a new but not unexpected occurrence, according to Steinkamp. Cryptojacking malware has used and continues to use IRC and HTTP for communications, and now we’re looking at Discord.

“Each of these, by default, transmits key information from the compromised host in clear text, allowing the victim to easily log in and view communications. However, both can also be configured to use SSL, which makes tracking difficult, ”he noted.

Leave a Comment