# Alibaba OSS Buckets Compromised to Distribute Malicious Shell Scripts via Steganography **[trendmicro.com/en_us/research/22/g/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html](https://www.trendmicro.com/en_us/research/22/g/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html)** July 21, 2022 [Previously, we reported on how threat actors are targeting multiple cloud environments such as Huawei Cloud to](https://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html) host [cryptocurrency-mining malware by abusing misconfiguration issues and weak or stolen credentials obtained](https://www.trendmicro.com/vinfo/tmr/?/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware) from a previous malware infection. [This time, we have identified a malicious campaign using the object storage service (OSS) of Alibaba Cloud (also](https://www.alibabacloud.com/product/object-storage-service) known as Aliyun) for malware distribution and illicit cryptocurrency-mining activities. OSS is a service that allows Alibaba Cloud customers to store data like web application images and backup information in the cloud. Unfortunately, this is not the first time that we’ve seen malicious actors targeting Alibaba Cloud: Earlier this year, [we detailed how malicious actors disabled features inside Alibaba Cloud for cryptojacking purposes.](https://www.trendmicro.com/en_us/devops/22/b/cryptojacking-attacks-target-alibaba-ecs-instances.html) How malicious actors abuse unsecure OSS buckets, credentials To secure an OSS bucket, a user has [to set up a proper access policy. If this is done incorrectly, a malicious user](https://www.alibabacloud.com/help/en/object-storage-service/latest/tutorial-use-ram-policies-to-control-access-to-oss) can upload or download a user’s files to or from the bucket itself. [Malicious actors can also get hold of a user’s OSS bucket by obtaining their AccessKey ID and AccessKey secret](https://www.alibabacloud.com/help/en/log-service/latest/accesskey-pair) or an auth-token. Any of these can be stolen from previously compromised services, particularly those that have secrets accessible as configurations inside plain-text files or environmental variables. Malicious actors can also [obtain access to an OSS bucket by using credential stealers. TeamTNT’s extended credential harvester is a](https://www.trendmicro.com/en_us/research/21/e/teamtnt-extended-credential-harvester-targets-cloud-services-other-software.html) notorious example of a stealer that targeted multiple cloud environments. When we investigated the technical details of this campaign, we saw that one of the shell scripts contained a reference to OSS KeySecret and GitHub. Initially, we assumed that malicious actors simply search for credentials that have been inadvertently pushed into the GitHub public repository. Figure 1. A comment inside a malicious script suggesting that a bad developer practice has been exploited We saw a comment on a malicious script in one of the samples that we analyzed and confirmed our initial assumption after using Google Translate to obtain an English translation of the comment that was originally written in Chinese. ----- Figure 2. The English translation of the comment written inside a malicious script The role of steganography in distributing malware to exploited OSS buckets Upon further investigation, we discovered that malicious actors uploaded images that contained an embedded shell script to the compromised OSS buckets using steganography. Steganography is a technique used by malicious actors to bypass defense mechanisms, especially networkrelated ones. The simplest version of this tactic involves simply changing the extension of the malicious file to a trivial one, such as “.png”. As a result, a security proxy that only looks at a file’s extension would grant access to the malicious file. After this technique was uncovered, cybercriminals were forced to improve their tactics. For example, they started hiding malware in images and videos for obfuscation purposes. Typically, a simple security solution looks at an image file by analyzing its header. If the header matches that of a file type usually considered harmless (like a PNG file), then the solution would grant the file access into a corporation’s network — even if it contains malicious scripts. In the campaign we analyzed, the malicious actors opted to use a simple steganography tactic and embedded malware inside an image file. The PNG image itself is a legitimate image file, but the malicious actors appended a malicious shell script at the end of it. A user would therefore be able to access the image itself without seeing the malicious script attached to the file. Figure 3. The image containing a malicious shell script [As Figure 4 shows, when the command "file" is used, it reads the header of the picture and determines that it is](https://www.man7.org/linux/man-pages/man1/file.1.html) [an image file. Using a tool like "hd" to check the raw content of the file results in the same outcome in which the](https://man7.org/linux/man-pages/man4/hd.4.html) header is considered compatible with that of a PNG file. ----- Figure 4. The PNG header of the downloaded file However, upon downloading the image and doing a closer investigation, we found the embedded malicious shell script. Figure 5. The malicious shell script embedded inside a PNG file [The malware authors used a Unix dd command-line utility program to extract the malicious shell script after the](https://man7.org/linux/man-pages/man1/dd.1.html) download was completed. Because this command is typically used in more advanced tasks, it’s evident that the authors have at least intermediate knowledge of Unix systems. Figure 6. From PNG file to malicious code execution ## Shell scripts target misconfigured Redis instances to mine Monero [We observed that the payload itself illicitly mined Monero using XMRig, an open-source and multiplatform Monero](https://github.com/xmrig/xmrig) miner. The campaign used the xmr-asia1[.]nanopool[.]org pool. The malicious shell scripts also targeted [misconfigured Redis instances, which can be abused to perform remote code execution (RCE). This is similar to](https://www.trendmicro.com/en_us/research/20/d/more-than-8-000-unsecured-redis-instances-found-in-the-cloud.html) [what multiple threat actors involved in a cryptojacking competition (such as TeamTNT and](https://www.trendmicro.com/vinfo/tmr/?/gb/security/news/cybercrime-and-digital-threats/teamtnt-activities-probed) [Kinsing) have done in](https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html) the past. ## Conclusion and Trend Micro solution We are continuously observing how cybercriminals are adapting to new environments and targeting an increasing number of cloud services. As we predict that this will be an enduring trend, we advise cloud users to be aware that in most cases, malicious actors will continue to exploit both misconfiguration issues and design issues in cloud services to easily access authentication tokens ----- Developers should also avoid putting any credentials and secrets into the versioning systems of their favors or pushing them into publicly accessible repositories. Indeed, this investigation is further proof that malicious actors are always actively seeking leaked or exposed credentials. [Security solutions such as Trend Micro Cloud One™ protect cloud-native systems and their various layers. By](https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html) leveraging this solution, enterprises gain access to protection for continuous integration and continuous delivery [(CI/CD) pipeline and applications. The Trend Micro Cloud One platform also includes Workload Security runtime](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) protection for workloads. ## Indicators of compromise (IOCs) ce95789643e31a65ee77a31c69a6952e9e260200b50e0e8ba6bf8493cce7fb71 Coinminer.SH.MALXMR.UWEKO 34c78249ab1415afacd16cf76375a800d8d56fa5ac60b5522146e65c1521955b Trojan.Linux.XB.VSNW12G22 495605cee98f3b437c3744c24fcf255d1cee7717f7e3150d38f95673ca0617e4 Trojan.Linux.FRS.VSNW12G22 8bb70f52377091ccbb13e7be0a1d4dab079edeca6adc18b126bbdc40dbcf3ae4 Trojan.SH.SHELLMA.AAS 8ec8e800fe3f627ce9f49268e4d67e944848f8ae3a8efc2ef6f77e46781a70f3 Trojan.Linux.MALXMR.UWELMS MITRE ATT&CK® table Cloud In this blog entry, we discuss a malicious campaign that targets Alibaba Cloud’s OSS buckets with leaked credentials for malware distribution and cryptojacking. By: Alfredo Oliveira, David Fiser July 21, 2022 Read time: ( words) ----- Content added to Folio -----