A new malware family, CoinStomp, has been targeting cloud services for mining cryptocurrency. Presently, this malware seems to be focused on cloud service providers in Asia.
About the CoinStomp
- CoinStomp has multiple capabilities, including timestomping, disabling system-wide cryptographic policies, and the use of C2 communication that initiated using a /dev/tcp reverse shell
- The timestamping capability manipulates the timestamps by running the touch command on Linux systems and uses a natively-supported way of creating a reverse shell or C2 communication channel.
- Additionally, some evidence has been observed in code that referenced a cryptojacking threat group, Xanthe. However, the evidence was not sufficient enough to confirm this claim, according to researchers.
Anti-forensic techniques
To prevent forensic actions against itself, the malware tries to tamper with Linux server cryptographic policies.
- These policies are meant to stop malicious executables. Therefore, authors use the kill command to disable system-wide cryptographic policies before its activity.
- Moreover, any attempt by admins to undo that action further ensures that the malware achieves its goals.
- In the next stage, CoinStomp makes a connection to its C2 server using a reverse shell. The script then downloads/executes additional payloads as system-wide system services with root privileges.
- These payloads may include binaries to create backdoors and a custom version of XMRig.
Conclusion
The attackers are removing cryptographic policies to thwart Linux security. The use of such anti-forensic techniques further indicates that attackers are aware of incident response systems as well. These capabilities indicate the knowledge and sophistication of attackers regarding cloud security, which makes it a pertinent threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-491765706.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c94e_shutterstock_1507725998.jpg)
