CTI Roundup: Linux Servers Target of New Malware Campaign

First in this week’s roundup, CTI looks at a new Linux malware campaign that is targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis. Next, CTI explains how ransomware actors are leveraging a growing list of data exfiltration tools in their attacks. Finally, CTI breaks down the top cloud-related threat findings from the end of 2023.

1. Linux malware campaign targets misconfigured servers

A new Linux malware campaign has been discovered targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis. The campaign leverages previously unreported payloads while taking advantage of common misconfigurations and exploiting a Confluence CVE to carry out remote code execution (RCE) attacks.

Cado discovered this campaign after they found a cluster of initial access activity on a Docker Engine API honeypot. This activity involved a Docker command that spawned a new container based on Alpine Linux and created a bind mount for the honeypot’s root directory within the container.

In this campaign, the threat actor wrote an executable to “/usr/bin/vurl” and registered a Cron job to decode and execute some encoded shell commands. For redundancy, the threat actor wrote an additional Cron job to obtain another payload if the first method failed. Researchers were not able to obtain this additional payload.

The primary payload

The primary payload in this campaign is a straightforward shell script. It begins by defining the C2 domain where the additional payloads are held. It then checks for the existence of the chattr utility and renames it to zzhcht if found. If this utility is not found, it will install one. Lastly, this shell script will check if the current user is rooted and will choose its next payload based on that answer.

Additional scripts

• Ar.sh: This shell script sets the machine up for additional compromise by performing anti-forensics and retrieving additional payloads. This script will disable “firewalld” and
  “iptables,” delete shell history, disable SELinux, and add public DNS servers to /etc/resolv.conf to make sure that its outbound DNS requests are successful. The script will also use “shopt” to prevent shell commands from being included to the history file and to make analysis more difficult. Next, the script will install rootkits to hide their processes and will uninstall monitoring agents for Alibaba Cloud and Tencent.

Additional features for this script can be found in Cado Security’s report.

• Fkohts: This is the first of several Golang ELFs deployed by the malware. This will search for and delete Docker images and will update the “/etc/hosts” file.
• S.sh: This is the next stage in the infection chain and another shell script. S.sh will download additional payloads and persist them on the host.
• Initial access and spreader utilities: h.sh, d.sh, c.sh, and w.sh, are all retrieved in the previous stage. These executables will identify and exploit hosts running Apache Hadoop, Docker, Redis, and Confluence, respectively.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Cado Security points out, it’s clear that “attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services, and using this knowledge to gain a foothold in target environments.”

This really puts into perspective how much time threat actors are willing to dedicate to ensure their campaigns are as successful as possible. It also reiterates that if threat actors are paying close attention to reported vulnerabilities and staying up to date with technologies, we all should be as well.

Get proactive about security and protection with Tanium Guardian.

2. Ransomware actors diversify their data exfiltration tools

Ransomware actors are leveraging a growing list of data exfiltration tools in their attacks. Over just the last three months, Symantec has observed at least a dozen different tools being used for data exfiltration. These tools include some malware but overwhelmingly dual-use legitimate software for malicious activities.

A closer look at the data exfiltration tools

Of the twelve tools observed by Symantec, Rclone remains the most frequently used tool for data exfiltration. The fastest-growing category overall is, unsurprisingly, remote management tools.

• Rclone: This is an open-source tool that is used to manage content in the cloud. It is abused by threat actors to exfiltrate data.
• AnyDesk, ScreenConnect, Atera, and TightNVC: These are legitimate remote desktop/remote monitoring tools that can be used to obtain access to a victim’s computer.
• RDP: This protocol enables a computer to control another device. Threat actors often try to enable this so they can leverage tools that use the RDP protocol.
• Cobalt Strike: This is a commonly used off-the-shelf tool that can be used to “execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files.”
• WinRAR: This archive manager is used to archive/zip files and can be used by a threat actor to prep files for exfiltration.
• Restic: This is an open-source command line backup tool. It is designed to work with multiple platforms and supports storage backends like local directories, Amazon S3, and Azure.
• WinSCP: This is a legitimate SFTP client and FTP client for Windows.
• Pandora RC: Formerly known as eHorus, Pandora RC is a legitimate remote access tool. It has agents for Windows, Linux, and Macs and is leveraged by threat actors to deploy additional tools.
• Chisel: An open-source proxy tool, Chisel creates encrypted tunneled connections. It is abused during ransomware attacks to create these tunnels to a threat actor’s infrastructure to exfiltrate data.

Case study: Rclone

Symantec dove into a RagnarLocker ransomware attack that leveraged Rclone, which threat actors often use to exfiltrate data from a victim’s environment. It is usually installed by the threat actor after initial access. Because it is so frequently used, threat actors have started changing the name of Rclone to appear as something else, like svchost.exe.

An example of this was seen in a RagnarLocker attack last year. This attack triggered an investigation after PowerShell commands were run to disable LSA protections. The actor then ran netscan.exe, another publicly available tool, to discover host names and other network services.

After deploying Mimikatz and LaZagne for credential dumping, the actor used multiple living off-the-land (LotL) tools to collect information and execute commands and enabled RDP for remote access. The actors then pivoted to Rclone to copy data from network shares. Rclone connections were made to various put[.]io URLs for data exfiltration. The attack ended with the deployment of RagarLocker ransomware and the encryption of files.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are increasingly leveraging legitimate tools in their attacks to evade detection. As the industry caught on to this trend, threat actors pivoted again to start using lesser-known (or lesser reported on) tools or to change the name of the tools being used.

It can be challenging to monitor the use of legitimate tools and identify instances that are being used maliciously. Symantec has provided some mitigation steps that may be helpful.

3. Cado reveals its top cloud threat findings report for 2H23

Cado Security has released its Cloud Threat Findings report for the second half of 2023. The report seeks to help security teams protect against cloud-focused threat actors and dives into several cloud-based malware campaigns.

Cado Security also ties in data collected from their honeypot infrastructure to their technical findings to depict the current cloud-focused threats.

Attackers have intimate knowledge of cloud services

Based on Cado Security’s data, attackers now possess deep knowledge of cloud services like Docker, Redis, and Jupyter. Cado Security observed Docker-specific knowledge used against their own honeypot and identified threat actors that were trying to escape created containers by mounting the host filesystem. Similarly, they observed threat actors exploiting and abusing Redis.

Docker continues to be a lucrative target

Docker remained the top targeted service for initial access in 2023, accounting for roughly 90% of Cado Security’s honeypot traffic (when discounting SSH).

K8s came in second, accounting for only 7.61%. Cado Security observed several long-running Docker-focused campaigns throughout the year, including two that abused exposed Docker API endpoints to execute malicious code.

Additional findings from Cado’s report

Cado Security observed threat actors continuing to exploit web-facing services in cloud environments like Docker, Redis, Kubernetes, and Jupyter.

Additionally, the majority of cloud and Linux campaigns involved the hijacking of resources for the purpose of mining cryptocurrency. Cryptojacking, however, is no longer the only focus of cloud threat actors. Campaigns are also now hijacking various cloud Simple Mail Transfer Protocol (SMTP) services to execute spam attacks at scale.

Lastly, Cado has observed a trend that many others have reported on which is the increase of Rust and Golang malware that enable developers to compile their code for more than one operating system.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Cado’s reports have become increasingly important, with more and more companies adopting cloud technologies.

One of the key findings in this report is that attackers are ‘increasingly targeting services, such as Docker, Redis, Kubernetes, and Jupyter, that require expert technical knowledge to exploit, different from what’s required for attacking generic Linux servers.’

This finding alone reveals how sophisticated threat actors are becoming. It also indicates that threat actors are likely investing a large amount of time to understand and develop the skills needed to exploit certain cloud services. That said, threat actors must be seeing an ROI in targeting cloud services.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.