Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,767
An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed.

Since first detected in 2019, a total of 84 attacks against its honeypot servers have been recorded to date, four of which transpired in 2021, according to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years. That said, 125 attacks have been spotted in the wild in the third quarter of 2021 alone, signaling that the attacks have not slowed down.

Initial attacks involved executing a malicious command upon running a vanilla image named "alpine:latest" that resulted in the download of a shell script named "autom.sh."

"Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use," the researchers said in a report shared with The Hacker News. "Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded."

The shell script initiates the attack sequence, enabling the adversary to create a new user account under the name "akay" and upgrade its privileges to a root user, using which arbitrary commands are run on the compromised machine with the goal of mining cryptocurrency.