A new malware family, CoinStomp, has been targeting cloud services for mining cryptocurrency. Presently, this malware seems to be focused on cloud service providers in Asia.

About the CoinStomp

The observations on CoinStomp have been detailed below.
  • CoinStomp has multiple capabilities, including timestomping, disabling system-wide cryptographic policies, and the use of C2 communication that initiated using a /dev/tcp reverse shell
  • The timestamping capability manipulates the timestamps by running the touch command on Linux systems and uses a natively-supported way of creating a reverse shell or C2 communication channel.
  • Additionally, some evidence has been observed in code that referenced a cryptojacking threat group, Xanthe. However, the evidence was not sufficient enough to confirm this claim, according to researchers.

Anti-forensic techniques

To prevent forensic actions against itself, the malware tries to tamper with Linux server cryptographic policies. 
  • These policies are meant to stop malicious executables. Therefore, authors use the kill command to disable system-wide cryptographic policies before its activity.
  • Moreover, any attempt by admins to undo that action further ensures that the malware achieves its goals.
  • In the next stage, CoinStomp makes a connection to its C2 server using a reverse shell. The script then downloads/executes additional payloads as system-wide system services with root privileges. 
  • These payloads may include binaries to create backdoors and a custom version of XMRig.

Conclusion

The attackers are removing cryptographic policies to thwart Linux security. The use of such anti-forensic techniques further indicates that attackers are aware of incident response systems as well. These capabilities indicate the knowledge and sophistication of attackers regarding cloud security, which makes it a pertinent threat.
Cyware Publisher

Publisher

Cyware