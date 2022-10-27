A cryptojacking campaign was recently discovered. Cyber ​​security firm CrowdStrike dubbed the business Kiss-a-dog (literally “kiss-a-dog”), with its command and control infrastructure overlapping those associated with other groups such as TeamTNTknown to hit instances Docker and Kubernetes when they are misconfigured.

Cryptojacking: what does it mean and how this campaign works

In English, Hijacking means nothing more than “hijacking”, in analogy to the hijacking of airplanes.

It is easy to understand that it is about “hijacking” cryptocurrencies somewhere else: hence the word “cryptojacking”.

That said, the intrusions, identified in September 2022 and are named after a domain called “kiss.a-dog[.]top ”used to trigger a shell script payload on the compromised container using a Base64-encoded Python command.

“The URL [che è stato] used in the payload is [stato] obscured with backslashes to defeat automated decryption and regex matching to recover malicious domainCrowdStrike researcher Manoj Ahuje said in a technical analysis.

The series of attacks subsequently attempts to escape the “defense” algorithm and move sideways in the hacked network, while simultaneously taking steps to terminate and remove cloud monitoring services (that’s why “Cryptojacking”, ie “crypto-hijacking”) .

Other methods used to evade detection include the use of rootkits Diamorphine And libprocesshide to hide malicious processes from the user, the last of which is compiled as a shared library and his own path is set as the value for the variable LD_PRELOAD.

“This allows the bad guys [hacker] to insert malicious shared libraries into every process generated on a compromised container“, Adds Ahuje.

The campaign’s ultimate goal is to stealthily mine cryptocurrency using XMRig mining software, as well as Redis and Docker instances, which are ultimately nothing more than backdoors for mining and potential subsequent attacks (similar to attacks we’ve seen recently).

“As cryptocurrency prices have fallen, these campaigns have been dampened over the past two months until more campaigns were launched in October to take advantage of an uncompetitive environment.“, Ahuje later added.

The findings also come as Sysdig researchers removed another sophisticated cryptocurrency mining operation dubbed PURPLEURCHINwhich takes advantage of the calculation allocated for free trial accounts on GitHub, Heroku and Buddy.

In short, these characters do everything for cryptojacking attacks (and not only) on a large scale.

It is estimated that up to 30 GitHub accounts, 2,000 Heroku accounts and 900 Buddy accounts were used in the automated freejacking campaign.

Attack implies creation of a GitHub account controlled by the main author (by the hacker “head”, to understand), each containing a repository which, in turn, has a GitHub action to perform mining operations by launching a Docker Hub image.

“The use of free accounts shifts the cost of managing cryptominers to the service provider“Said the researchers. “However, as with many fraud use cases, abuse of free accounts can affect others [utenti]. Higher charges for the provider will lead to higher prices for its legitimate customers.“

What does all this simply explained mean?

You know those who on YouTube a few years ago showed their super computer full of NVIDIA GTX 1080TI to be able to mine?

That computer will “mine” cryptocurrencies.

Imagine now that these miners instead of finding the cryptocurrency on their wallet, through these games to “hijack” (cryptojacking) do not find themselves with a full wallet, but married money who knows where because hijacked.

In practice, some people who have decided to do this operation to “undermine” cryptocurrency, may find that their money is “taken” somewhere else (literally a hijack), wasting a lot of electricity and resources. That’s all.