A new report has highlighted how cryptojackers have been targeting Linux devices to install malware to mine for Monero.
The report comes from the JASK ‘Autonomous Security Operations Center’ (ASOC) platform.
The JASK ASOC platform automates the correlation and analysis of threat alerts. In doing so, it searches for high priority threats and streamlines investigations, and it seeks to deliver much faster response times.
Its special operations (SpecOps) team has unearthed a group that is targeting exposed Linux servers for “broad propagation and revenue generation through illicit cryptomining on abused infrastructure.”
The report claims the group known as ‘Outlaw’ is behind the attempts, though no official proof has been provided.
Reportedly, in late November 2018, a secure shell (SHH) brute force campaign succeeded on “multiple internet facing Linux devices within the victim’s demilitarised zones (DMZ) infrastructure.”
After the infection, JASK discovered several payloads being delivered to the victims. The payloads included the cryptomining tools used by the perpetrators.
The analysis conducted by the SpecOps team led JASK to conclude that the host machines fell victim to an “opportunistic” attack “likely sponsored by the Outlaw group.”
It believes the Outlaw group could be involved due to its involvement with “several recent shellbot and cryptocurrency mining and SSH brute force campaigns,” and because of the similarity in the type of malware used between the campaigns.
The report states that the perpetrators have created “an easily liquidated revenue stream through the use of XMR-Stak, a highly configurable Monero (XMR) miner,” which is becoming increasingly “common with financially motivated campaigns.”
Passive domain name system (DNS) data for the virtual private server (VPS) analysed by JASK shows it hosting a number of domains that resemble video game servers, such as Minecraft.
JASK believes this indicates the campaign actors have been building their own mining pool infrastructure as opposed to tapping into publicly available ones.
The news that Monero is being mined by cryptojackers shouldn’t come as too much of a surprise. Recently, it was revealed that 4.3% of all Moneros had been mined through cryptojacking.