Blog
A Rare Look Inside a Cryptojacking Campaign and its Profit
Linux threats are becoming more frequent and a more common type of Linux threat is cryptojacking, which is the unauthorized use of an IT system for the purpose of mining cryptocurrency. While cryptominers are well-documented, it’s not often that you get an inside look. It’s rare to see the dashboard of the wallets being used in an active cryptojacking campaign with dozens of victims, as well as the attacker’s profit margin.
January 13, 2021
Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers
In early December, we discovered a new, undetected worm written in Golang. This worm continues the popular 2020 trend of multi-platform malware developed in Golang. The worm attempts to spread across the network in order to run XMRig Miner on a large scale. The malware targets both Windows and Linux servers and can easily maneuver from one platform to the other. It targets public facing services; MySQL, Tomcat admin panel and Jenkins that have weak passwords. In an older version, the worm has also attempted to exploit WebLogic’s latest vulnerability: CVE-2020-14882.
December 29, 2020
A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Summary In November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy. Zebrocy is mainly used against governments and commercial organizations engaged in foreign affairs. The lures consisted of documents about Sinopharm International Corporation—a pharmaceutical company that COVID-19 vaccine is currently going through phase three clinical trials—and an impersonated evacuation letter from Directorate General of Civil Aviation. The lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files. While the malware samples were heavily obfuscated, it was possible to attribute them to the Sofacy threat actor since they shared genomes with samples used in previous campaigns.
December 9, 2020
Stantinko's Proxy After Your Apache Server
Intro It is common for threat actors to evolve their Linux malware. BlackTech with their new ELF_PLEAD malware and Winnti’s PWNLNX tool are recent examples. On par with this trend, we have discovered a new version of a Linux proxy trojan related to Stantinko group. The malware has just one detection in VirusTotal at the time of this publication. Stantinko group is known for targeting Windows operating systems with ongoing campaigns dating back to 2012. The group’s malware mainly consists of coin-miners and adware botnets.
November 24, 2020
A Storm is Brewing: IPStorm Now Has Linux Malware
UPDATE NOVEMBER 2023: IPStorm Infrastructure Dismantled by FBI The FBI today revealed US law enforcement’s dismantlement of a botnet proxy network, along with a guilty plea for the individual responsible for the botnet infrastructure which was associated with the IPStorm malware. This achievement is a significant milestone in ongoing efforts to combat cyber threats. The research team at Intezer assisted in the FBI’s case, sharing our findings and analysis about the new IPStorm malware variants and capabilities as it expanded to infect Linux, Mac, and Android devices around the world.
October 1, 2020
Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools
The term Offensive Security Tool, also known as OST, is a controversial subject within the InfoSec community. It often sparks fierce debate with both sides of the argument weighing in on how the uncontrolled publication of offensive security capabilities should be treated. On one side of the argument, typically held by more defense-oriented people, the free publication of OSTs is detrimental because it arms adversaries with free offensive capabilities and misses opportunities to exact development costs from threat actors.
September 30, 2020
Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks
Introduction TeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. The group has been previously documented using several tools including crypto-miners and Amazon Web Services (AWS) credential stealing worms. TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers. Now the group is evolving. In a recent attack observed by Intezer, TeamTNT uses a new technique by abusing Weave Scope, a trusted tool which gives the user full access to their cloud environment and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS), and AWS Elastic Compute Cloud (ECS). The attackers install this tool in order to map the cloud environment of their victim and execute system commands without deploying malicious code on the server.
September 8, 2020
Watch Your Containers: Doki Infecting Docker Servers in the Cloud
Key Findings Ngrok Mining Botnet is an active campaign targeting exposed Docker servers in AWS, Azure, and other cloud platforms. It has been active for at least two years. We have detected a recent attack which includes a completely undetected Linux malware and a previously undocumented technique, using a blockchain wallet for generating C&C domain names. Anyone with publicly open Docker API access is at high risk to be hacked within the span of just a few hours. This is probable due to the hackers' automated and continuous internet-wide scanning for vulnerable victims. The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal since it was first analyzed on January 14, 2020. The attacker is using the infected victims to search for additional vulnerable cloud servers. Introduction Linux threats are becoming more common. A contributing factor to this is the increasing shift and reliance on cloud environments, which are mostly based on Linux infrastructure. Hence, attackers have been adapting accordingly with new tools and techniques designed specifically for this infrastructure.
July 28, 2020
Kaiji: New Chinese Linux malware turning to Golang
It is not often that you see a botnet’s tooling written from scratch. The Internet of things (IoT) botnet ecosystem is relatively well-documented by security specialists. New threat actors are generally discovered quickly due to the inherent noise caused by DDoS operations, both in terms of infecting new machines and conducting operations. Simply, it is difficult to hide such overt activities. Most DDoS actors do not invest resources in creating custom tooling, unless they require specific capabilities, and resort to using well-known botnet implants (e.g. Mirai, BillGates).
May 4, 2020
Fantastic payloads and where we find them
Attackers have long used evasion features in their malware to avoid detection by security products and analysis systems. One of the most common anti-analysis tricks we have seen in today’s Windows malware is the use of packers. Packers often complicate the analysis and detection of binary files by hiding the malware’s real code and data; often referred to as the payload. The most common solution to overcome packing is the use of dynamic analysis (sandboxes) and emulation systems. However, as these solutions have become more mainstream, packers have started to incorporate new anti-analysis methods to both detect and evade these systems.
March 30, 2020