Full Report
During the summer of 2023, using the Wiz Sensor, Wiz Research detected several different cryptomining campaigns targeting cloud workloads. Learn about these campaigns and their associated IoCs, and how to detect and prevent similar threats.
Analysis Summary
# Tool/Technique: XMRig
## Overview
XMRig is an open-source CPU miner designed for Monero (XMR) and other RandomX/CryptoNight-based cryptocurrencies. It is frequently utilized by threat actors for cryptomining operations due to its performance and availability, often deployed opportunistically against vulnerable cloud workloads.
## Technical Details
- Type: Malware family (Cryptominer)
- Platform: Linux (Implied by cloud workload targeting and fileless techniques)
- Capabilities: Mining Monero (XMR) and similar cryptocurrencies using CPU resources.
- First Seen: Not specified in context (Known open-source tool).
## MITRE ATT&CK Mapping
(Specific ATT&CK mappings for the deployment of XMRig itself are generally related to Resource Hijacking or Execution, but direct mappings for the tool's use in these incidents are often implied or leveraged against specific initial access methods.)
- T1496 - Resource Hijacking
- (Specific execution/persistence techniques leveraged alongside XMRig would be mapped separately)
## Functionality
### Core Capabilities
- High-performance CPU-based cryptocurrency mining.
- Used in conjunction with various initial access vectors (e.g., vulnerable Jupyter Notebooks, unpatched Apache Solr).
### Advanced Features
- Used in fileless configurations (e.g., Pyloose, using `memfd_create`).
- Renamed and disguised (e.g., "newhello").
## Indicators of Compromise
- File Hashes:
- Kinsing Incident Miner SHA1: `0ceb8ffb0be23b808b534d744440f4367e17b9c5` (Associated with Kinsing payload, which includes XMRig)
- z0Miner Miner SHA1 (`solrd`): `430e3d3bb3a4ebf30b9345b8fc7a2a6cf69ba8a8`
- File Names: `newhello` (renamed XMRig), `solrd` (z0Miner variant)
- Network Indicators:
- Miner Pools/Proxies (Kinsing): `194[.]87[.]254[.]160`, `185[.]87[.]48[.]183`, `185[.]156[.]179[.]225`, `176[.]113[.]81[.]186`
- z0Miner Pool: `pool.supportxmr.com`
- Behavioral Indicators: System resource utilization spikes (CPU load), network connections to known mining pools.
## Associated Threat Actors
- Opportunistic Threat Actors (General Cloud Cryptominers)
- Kinsing (Used XMRig/Kinsing variant)
## Detection Methods
- Signature-based detection: YARA rules targeting known XMRig binaries or configuration strings.
- Behavioral detection: Monitoring for high CPU usage by unknown or unexpected processes, especially connections to mining pools.
- Related Tools/Techniques: Detection related to the specific deployment methods (Jupyter RCE, Solr exploits).
## Mitigation Strategies
- Patching known vulnerabilities (e.g., Apache Solr v8.1.1).
- Hardening cloud environments, specifically securing notebook services (e.g., Jupyter) to prevent remote unauthenticated execution.
- Restricting execution of unknown binaries or scripts from public sources (GitHub, Pastebin).
- Implementing runtime protection to block known miner hashes or process behavior.
## Related Tools/Techniques
- CCminer
- Xmr-Stack-RX
***
# Tool/Technique: CCminer
## Overview
CCminer is another open-source cryptomining software, similar to XMRig, used by attackers in some of the observed campaigns to mine cryptocurrencies on compromised cloud infrastructure for direct financial gain.
## Technical Details
- Type: Malware family (Cryptominer)
- Platform: Linux (Implied)
- Capabilities: Cryptocurrency mining.
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- CPU/GPU-based cryptocurrency mining.
### Advanced Features
- Deployed via initial access vectors such as vulnerable Jupyter Notebooks.
## Indicators of Compromise
- File Hashes:
- CCminer SHA1: `0b97613c4c747f9f86d195fb6ead6c030bd21fee`
- Network Indicators:
- Pool: `eu.luckpool.net:3956`
## Associated Threat Actors
- Opportunistic Threat Actors
## Detection Methods
- Signature-based detection (Hashing).
- Behavioral detection (Monitoring network traffic connections to the specified pool).
## Mitigation Strategies
- Strict egress filtering to block connections to known mining infrastructure.
- Runtime monitoring for mining processes.
## Related Tools/Techniques
- XMRig
- Xmr-Stack-RX
***
# Tool/Technique: Xmr-Stack-RX
## Overview
Xmr-Stack-RX is a recognized CPU/GPU-based cryptominer frequently employed by threat actors targeting cloud resources. Its inclusion in the observed incidents signifies a common reliance on readily available, high-performance mining software.
## Technical Details
- Type: Malware family (Cryptominer)
- Platform: Linux (Implied)
- Capabilities: Cryptocurrency mining (likely Monero variant).
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- Cryptocurrency mining.
## Indicators of Compromise
- No specific IoCs listed for this variant in the provided snippet, though it was deployed via an Open Jupyter Notebook vector.
## Associated Threat Actors
- Opportunistic Threat Actors
## Mitigation Strategies
- General hardening against cryptomining intrusion, focusing on RCE prevention.
## Related Tools/Techniques
- XMRig
- CCminer
***
# Technique: Exploiting Open Jupyter Notebooks for Initial Access
## Overview
This technique involves threat actors gaining initial access to cloud workloads by exploiting misconfigured or unsecured Jupyter Notebook instances that allow remote unauthenticated access, leading directly to Remote Code Execution (RCE).
## Technical Details
- Type: Technique (Initial Access)
- Platform: Linux-based cloud workloads hosting Jupyter.
- Capabilities: Achieving RCE on the host machine.
- First Seen: Summer 2023 (in context of these incidents).
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- (Jupyter Notebook RCE is often mapped here or as a form of execution via an application vulnerability/misconfiguration)
## Functionality
### Core Capabilities
- Executing arbitrary code on the target system through an unsecured notebook interface.
### Advanced Features
- Used as a vector to deploy fileless malware (Pyloose) or download and execute external miners and administrative tools.
## Indicators of Compromise
- Behavioral Indicators: Initial POST/external requests to vulnerable Jupyter endpoints preceding abnormal process execution.
## Associated Threat Actors
- Opportunistic Threat Actors
## Detection Methods
- Network monitoring for connections to Jupyter ports exhibiting unusual command execution patterns.
- Configuration audit tools to identify publicly exposed, unauthenticated Jupyter instances.
## Mitigation Strategies
- Proper configuration of Jupyter Notebooks, ensuring they are not exposed publicly without strong authentication.
- Network segmentation to isolate notebook environments.
## Related Tools/Techniques
- Exploiting Unpatched Apache Solr
***
# Technique: Exploiting Unpatched Apache Solr
## Overview
Attackers gained access by exploiting known vulnerabilities in unpatched versions of Apache Solr (specifically v8.1.1 was mentioned) on cloud workloads, leading to compromise and subsequent cryptomining deployment.
## Technical Details
- Type: Technique (Initial Access/Exploitation)
- Platform: Systems running Apache Solr v8.1.1.
- Capabilities: Achieving initial compromise/RCE.
- First Seen: Summer 2023 (in context of these incidents).
## MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- Apache Solr vulnerabilities are often leveraged via this technique.
## Functionality
### Core Capabilities
- Exploiting software flaws to gain initial foothold.
## Indicators of Compromise
- Behavioral Indicators: Request patterns or payloads indicative of exploiting the specific Apache Solr vulnerability.
## Associated Threat Actors
- Opportunistic Threat Actors (Kinsing, z0Miner campaigns)
## Mitigation Strategies
- Timely patching of all public-facing applications, particularly Apache Solr.
## Related Tools/Techniques
- Exploiting Open Jupyter Notebooks
***
# Tool/Technique: tmate
## Overview
Tmate is a legitimate, open-source remote-sharing and terminal-collaboration service. Attackers abuse it to maintain access, keep shell sessions alive, and potentially conduct reverse-SSH tunneling on compromised resources.
## Technical Details
- Type: Tool (Remote Access/Backdoor Maintenance)
- Platform: Linux
- Capabilities: Real-time terminal sharing, maintaining active sessions.
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- T1048 - Exfiltration Over Alternative Protocol (Relevant if used for tunneling)
- T1219 - Remote Access Software (As abuse of legitimate software)
## Functionality
### Core Capabilities
- Maintaining a persistent, active shell session on the compromised host to maximize miner execution time.
## Indicators of Compromise
- Behavioral Indicators: Execution of the `tmate` binary followed by connections to known tmate infrastructure or unexpected session establishment.
## Associated Threat Actors
- Opportunistic Threat Actors (newhello, CCminer, Notebooks incidents)
## Mitigation Strategies
- Strict monitoring and whitelisting of remote access tools allowed on the environment.
- Restricting processes that can initiate outbound connections to remote collaboration services.
## Related Tools/Techniques
- ngrok
***
# Tool/Technique: PRoot
## Overview
PRoot is a user-space implementation of the `chroot` mechanism. Threat actors leverage it to create an isolated environment with an altered root directory structure without needing escalated superuser privileges, often used to isolate activities or run software in a constrained manner, potentially aiding persistence or evasion.
## Technical Details
- Type: Tool (Defense Evasion/Privilege Escalation Support)
- Platform: Linux
- Capabilities: Creating isolated chroot-like environments without root permissions.
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- Defense Evasion techniques associated with manipulating views of the filesystem.
## Functionality
### Core Capabilities
- Running processes in a simulated, isolated filesystem environment.
## Indicators of Compromise
- Behavioral Indicators: Execution of the `PRoot` binary followed by file access anomalies within the simulated environment.
## Associated Threat Actors
- Opportunistic Threat Actors (newhello, Notebooks incidents)
## Mitigation Strategies
- Monitoring for use of isolation tools like `PRoot` by non-standard users.
## Related Tools/Techniques
- udocker
***
# Tool/Technique: ngrok
## Overview
Ngrok is a legitimate tool used to create secure public endpoints (tunnels) to services running locally. Attackers abuse it to expose internal services or create external listeners/reverse shells on compromised resources, often to facilitate C2 or persistence.
## Technical Details
- Type: Tool (Command and Control/Remote Access)
- Platform: Cross-platform (used on Linux hosts here)
- Capabilities: Creating secure tunnels from the internal network to the internet.
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- T1090 - Proxy (Often used for establishing C2 communication channels)
## Functionality
### Core Capabilities
- Bypassing perimeter defenses by exposing a local port (like a shell or C2) to the public internet via a tunnel.
## Indicators of Compromise
- Network Indicators: Outbound traffic establishing connections to known ngrok infrastructure.
## Associated Threat Actors
- Opportunistic Threat Actors (Notebooks incident)
## Mitigation Strategies
- Restricting the execution of tunneling and port-forwarding tools like ngrok.
- Monitoring for unexpected listening ports opened via these tools.
## Related Tools/Techniques
- tmate
***
# Tool/Technique: Kinsing Malware (Associated Components)
## Overview
Kinsing is a type of malware often associated with cryptomining, deployed via exploitation (in this case, unpatched Apache Solr). The malware uses various components, including shell scripts for deployment and persistence, and ultimately utilizes an XMRig variant for mining.
## Technical Details
- Type: Malware Family (Cryptominer/Loader)
- Platform: Linux
- Capabilities: Initial malware delivery, deployment of an UPX-packed miner, persistence mechanisms.
- First Seen: Not specified in context.
## MITRE ATT&CK Mapping
- T1496 - Resource Hijacking
- T1053.003 - Scheduled Task/Job: Cron (Via `cron.sh`)
## Functionality
### Core Capabilities
- Delivery and execution of cryptomining payload.
- Use of spreading scripts (`spre.sh`).
### Advanced Features
- Use of UPX-packed miners (`Kdevtmpfsi`).
- Implementation of cron job persistence (`cron.sh`).
## Indicators of Compromise
- File Hashes:
- Initial script (`s.sh`): `ff8c38f871c789b000235a8f05ba5c936da8e6f1`
- Spreader script (`spre.sh`): `4b75893b143d23ee720c1931281ebf1b14b03e8b`
- Miner (`Kdevtmpfsi` unpacked): `ed57d213d1e958d639a8de927ccbbcb431d72eae`
- Persistence script (`cron.sh`): `e691317c172593f0048113e590ae7b9f711a44ad`
- Network Indicators:
- C2: `Vocaltube[.]ru`, `185[.]154.53.140`, `185[.]221.154.208`
- Hosting IPs: `194[.]87.252.159`, `185[.]122.204.197`, `31[.]184.240.34`
- Wallet: `44MtPEErzyDNHfggtup49m4zwGm7zjYp5jWKWRc3go6LN5fxetsHtVhdEetL9jhZedNAwG7YGLpR1azK5Ch69cdGPgVj5wA`
## Associated Threat Actors
- Kinsing group/associated actors
## Detection Methods
- Hunting for the specific hash values and network indicators listed.
- Detecting process execution chains involving shell script execution leading to UPX-packed binaries.
## Mitigation Strategies
- Immediate patching of Solr.
- Implementing strong integrity checks on system files, especially `/etc/cron*` directories.
## Related Tools/Techniques
- Cloud Hopper (General exploitation theme)
***
# Tool/Technique: z0Miner (Associated Components)
## Overview
z0Miner is another cryptominer identified in attacks exploiting unpatched Apache Solr. It deploys its mining payload using various scripts designed to run XMRig variants against BitcoinTalk pools.
## Technical Details
- Type: Malware Family (Cryptominer/Loader)
- Platform: Linux
- Capabilities: Exploiting Solr for initial access, deploying XMRig variant (`solrd`) to mine.
- First Seen: Summer 2023 (in context of these incidents).
## MITRE ATT&CK Mapping
- T1496 - Resource Hijacking
- T1190 - Exploit Public-Facing Application (via Solr)
## Functionality
### Core Capabilities
- Deployment of XMRig miner disguised as `solrd`.
- Use of initialization and dropper scripts (`solr.sh`, `sorlb`).
## Indicators of Compromise
- File Hashes:
- Dropper script (`sorlb`): `a6e1414849d9ffa13ff49c6ba5a97ccc47b91051`
- Init script (`solr.sh`): `5fc34a89d873a09b325adee825fbc869a2bc05b3`
- Miner (`solrd`): `430e3d3bb3a4ebf30b9345b8fc7a2a6cf69ba8a8`
- Network Indicators:
- Hosting IP:Port: `175.118.126[.]65:8002`
- Pool: `pool.supportxmr.com`
- Wallet: `44Lu9jhKUuTVcSwGL1jLU6MKyFVNewBdL5mT13fjxLhFTSa5i6E5hMrAv1SmH16NYvc51GY6RnvQSKM4CDFFRov68aRFgYi`
## Associated Threat Actors
- Opportunistic Threat Actors (z0Miner campaigns)
## Detection Methods
- Signature matching on script hashes and miner binary hash.
- Network monitoring for connections to `175.118.126[.]65:8002`.
## Mitigation Strategies
- Patch Apache Solr immediately.
- Monitor file system for newly created suspicious shell scripts in system directories.
## Related Tools/Techniques
- XMRig
- Exploiting Unpatched Apache Solr