Search This Blog

Showing posts with label Cryptojacking Campaign. Show all posts

Romanian Cryptojacking Gang Target Linux-based Machines to Install Cryptominer Malware


Romanian threat actors are employing a new brute-forcer “Diicot brute” to crack the passwords on Linux-based machines and install cryptominer malware. 

According to Bitdefender researchers, the cryptojacking gang employs a unique SSH brute-forcer dubbed Diicot to crack weak passwords on Linux machines and install code of a miner XMRig, a legitimate open-source miner that’s been adapted for cryptojacking by numerous hackers. 

The researchers said they connected the cryptojacking gang to at least two DDoS botnets: a variant of the Linux-based DDoS DemonBot botnet called “Chernobyl” and a Perl IRC bot. The main motive of this campaign is to deploy Monero mining malware, also their toolset can be used to steal sensitive information from users and perform other nefarious actions. 

Cryptojacking is a slow and tedious way to generate illicit income, that’s why the actor is using botnet to infect as many devices as possible. “Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead,” according to the report published by Bitdefender researchers.

Threat actors are targeting people with weak and default passwords that are easily broken through brute force. “People are the simple reason why brute-forcing SSH credentials still work,” researchers wrote.

“Hackers going after weak SSH credentials is not uncommon. The tricky part is not necessarily brute-forcing passwords but rather doing it in such a manner that attackers can’t go undetected,” Bitdefender says. Another feature of the Diicot Brute force attack implied the capability of the tool to filter honeypots, as per threat actors’ declarations.

The attackers started the campaign in January and have not yet moved to the worm phase, according to Bitdefender. The cybersecurity analysts tracked the Romanian cryptojacking Gang back in May. Then, they discovered the cryptojacking campaign based on the “.93joshua” loader. Surprisingly enough, it was easy to trace the malware to “http://45[.]32[.]112[.]68/.sherifu/.93joshua” in an open directory.

“It turns out that the server hosted other files. Although the group hid many of the files, their inclusion in other scripts revealed their presence. They found that the associated domain,, has hosted malware at least since February,” analysts noted

TeamTNT Targeting Organizations Via Cryptojacking Malware


A cybercriminal gang known as TeamTNT has been ramping up its cloud-focused cryptojacking operations for some time now. TeamTNT operations have targeted Kubernetes clusters due to their wide usage and are an attractive target for threat actors running primarily in cloud environments with access to nearly infinite resources.

Attackers have also designed new malware called Black-T that unites open-source cloud-native tools to assist in their cryptojacking operations. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible, leading to malicious activity. 

Palo Alto’s Unit 42 researchers have discovered and confirmed close to 50,000 IPs compromised by this malicious campaign perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers)

TeamTNT has gathered 6.52012192 Monero coins via a cryptojacking campaign, which is equal to USD 1,788. The mining operation was found to be operating at an average speed of 77.7KH/s across eight mining workers. Operations using this Monero wallet address have continued for 114 days and are still operating. 

The researchers said TeamTNT’s new campaign is the most sophisticated malware Unit 42 has seen from this gang. They said on this round the threat actor developed more sophisticated tactics for initial access, execution, defense evasion, and command and control. Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment. 

Team TNT has stolen the credentials of 16 applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance if downloaded. The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. 

Researchers believe that Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud IAM credentials could be targeted using similar methods. Unit 42 researchers are yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.