Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Elastic researchers uncover a curious cryptojacking operation.
Recently, experts from Elastic Security Labs discovered a sophisticated REF6138 malware campaign targeting vulnerable Linux servers. The hackers began their malicious activity in March 2024 by exploiting a vulnerability in the Apache2 web server. After gaining access, the attackers deployed a suite of tools and malware to establish a presence on the compromised host and further expand control.
The attackers used a variety of malware, including KAIJI, known for its DDoS capabilities, and RUDEDEVIL, which is a cryptominer that exploits the system's resources for its own purposes.
During the investigation, experts discovered a possible Bitcoin and XMR mining scheme based on the use of gambling APIs. This suggests that the attackers may have used the compromised hosts to launder money. In addition, the researchers gained access to a file server that was updated daily with fresh samples of KAIJI, indicating that the malware was actively developing and modifying.
For covert communication, the attackers used Telegram bots, fake kernel processes, and a cron task scheduling tool. The attack began by gaining remote access to Apache2 and downloading a script called "00.sh". This script deleted system logs, removed competing mining processes, and installed additional malicious files. To further control the compromised server, the attackers used a server with a file storage containing various malware samples for different architectures.
One of the main components of the campaign was RUDEDEVIL, which differed in a specific message from the author within its code, and also performed a number of tasks, such as installing on the system, using sockets for communication, and monitoring network activity. In addition, the analysis of this malware revealed the use of XOR encryption to mask data.
Regarding the specific message, in the RUDEDEVIL code, experts identified the following lines addressed to security experts: "Hello, buddy. I have seen that several organizations have reported my Trojan recently. Please don't disturb me. I just want to buy a car. I don't want to hurt anyone or do anything illegal. If it's not difficult, throw me some crypto next XMR wallet..."
This message may be an attempt to evoke sympathy or distract the attention of researchers, but, in any case, it is a unique feature of RUDEDEVIL and fuels a certain interest in its author.
Returning to the analysis of the malicious campaign, the attackers also used tools to monitor processes and network activity. They could control the CPU load and send system information to C&C servers via secure channels.
Another tool of the attackers was GSOCKET, a utility for encrypted communication between systems, hiding its activity behind kernel system processes. The attack also exploited the CVE-2021-4034 (pwnkit) vulnerability to gain root privileges.
As you can see, cybercriminals are becoming more and more inventive, combining various methods to gain control over systems and maximize their profits. Their approaches show that they are willing to do anything for their own benefit, even appealing to the sympathy of researchers. In such a dynamic cyber threat landscape, timely detection and protection are key, and a simple understanding of risk can play a crucial role in preventing serious consequences.
Source
Recently, experts from Elastic Security Labs discovered a sophisticated REF6138 malware campaign targeting vulnerable Linux servers. The hackers began their malicious activity in March 2024 by exploiting a vulnerability in the Apache2 web server. After gaining access, the attackers deployed a suite of tools and malware to establish a presence on the compromised host and further expand control.
The attackers used a variety of malware, including KAIJI, known for its DDoS capabilities, and RUDEDEVIL, which is a cryptominer that exploits the system's resources for its own purposes.
During the investigation, experts discovered a possible Bitcoin and XMR mining scheme based on the use of gambling APIs. This suggests that the attackers may have used the compromised hosts to launder money. In addition, the researchers gained access to a file server that was updated daily with fresh samples of KAIJI, indicating that the malware was actively developing and modifying.
For covert communication, the attackers used Telegram bots, fake kernel processes, and a cron task scheduling tool. The attack began by gaining remote access to Apache2 and downloading a script called "00.sh". This script deleted system logs, removed competing mining processes, and installed additional malicious files. To further control the compromised server, the attackers used a server with a file storage containing various malware samples for different architectures.
One of the main components of the campaign was RUDEDEVIL, which differed in a specific message from the author within its code, and also performed a number of tasks, such as installing on the system, using sockets for communication, and monitoring network activity. In addition, the analysis of this malware revealed the use of XOR encryption to mask data.
Regarding the specific message, in the RUDEDEVIL code, experts identified the following lines addressed to security experts: "Hello, buddy. I have seen that several organizations have reported my Trojan recently. Please don't disturb me. I just want to buy a car. I don't want to hurt anyone or do anything illegal. If it's not difficult, throw me some crypto next XMR wallet..."
This message may be an attempt to evoke sympathy or distract the attention of researchers, but, in any case, it is a unique feature of RUDEDEVIL and fuels a certain interest in its author.
Returning to the analysis of the malicious campaign, the attackers also used tools to monitor processes and network activity. They could control the CPU load and send system information to C&C servers via secure channels.
Another tool of the attackers was GSOCKET, a utility for encrypted communication between systems, hiding its activity behind kernel system processes. The attack also exploited the CVE-2021-4034 (pwnkit) vulnerability to gain root privileges.
As you can see, cybercriminals are becoming more and more inventive, combining various methods to gain control over systems and maximize their profits. Their approaches show that they are willing to do anything for their own benefit, even appealing to the sympathy of researchers. In such a dynamic cyber threat landscape, timely detection and protection are key, and a simple understanding of risk can play a crucial role in preventing serious consequences.
Source
