A cryptojacking campaign, believed to have originated from Romania, has been identified as targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.
Know more about the campaign
Researchers from the cybersecurity company Tehtris detected the attacks in their France-based Honeypot, which deployed Ubuntu 22.04.
It is believed that the attackers, calling themselves ElPatrono1337, used an SSH brute-force attack to gain initial access to the targeted network.
A shell script, called uhQCCSpB, gets downloaded from the attacker-controlled infrastructure and is executed on the infected machine.
It is a modified version of the bot called Linux.MulDrop.14 or UNIX_PIMINE.A.
The Linux.MulDrop.14 bot, originally designed to target Raspberry Pi devices, has been modified by the attackers to target other IoT devices.
Fast and slow approach
Upon execution, the uhQCCSpB script allows attackers to execute additional commands on the infected machine.
It first kills all the other miner malware already active on the infected machine to free the resources. The script then checks the number of processing cores available on the infected machine.
If the machine has more than four cores, it goes with the FastAndSteady function that installs the Monero miner diicot, optimized to leverage the infected machine’s resources for cryptomining.
In case the number of cores is four or fewer, it goes with the SlowAndSteady function, which attempts to infect other machines connected to the network.
Furthermore, attackers store the exfiltrated data using Discord’s webhooks feature. It sends POST requests to the attacker-controlled Discord server, which stores details about the default credentials of devices.
Concluding notes
Color1337 is a simple yet exemplary cryptojacking threat. It stands as another example of the threats looming around due to the use of simple or default passwords with IoT devices. Moreover, it uses Discord features to hide its malicious traffic, making it difficult to monitor and track. This further highlights the importance of regular monitoring and assessing of exposed resources and network traffic for any malicious activities.