Through Cisco Talos’ investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.
This blog examines these actors’ recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.
We will cover the recent activities of these actors:
- Rocke — A group that employs Git repositories, HTTP File Servers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts 2, Jenkins and JBoss.
- 8220 Mining Group — Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts 2.
- Tor2Mine — A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).
These groups have used similar TTPs, including:
- Malicious shell scripts masquerading as JPEG files with the name “logo*.jpg” that install cron jobs and download and execute miners.
- The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim’s architecture.
- Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts 2, Oracle WebLogic and Drupal.
- Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
- Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.
We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.
The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.