{
	"id": "0def7135-ee19-4514-9b27-244895ee5dd6",
	"created_at": "2026-04-06T03:37:14.542592Z",
	"updated_at": "2026-04-10T03:20:32.987198Z",
	"deleted_at": null,
	"sha1_hash": "648059410b31d7948d6a21efa176ee403206b782",
	"title": "Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1643708,
	"plain_text": "Permiso | Blog | Unmasking GUI-Vil: Financially Motivated Cloud\r\nThreat Actor\r\nBy Ian Ahl\r\nPublished: 2023-05-22 · Archived: 2026-04-06 02:59:33 UTC\r\nCredits: Wilma Miranda\r\nSummary (the TL;DR)\r\nPermiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack\r\nlifecycle and detection opportunities for the cloud-focused, financially motivated threat actor we have dubbed as\r\np0-LUCR-1, aka GUI-vil (Goo-ee-vil).\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 1 of 22\n\nGUI-vil is a financially motivated threat group sourcing from Indonesia whose primary objective is performing\r\nunauthorized cryptocurrency mining activities. Leveraging compromised credentials, the group has been observed\r\nexploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations. Permiso\r\nfirst observed this threat actor in November of 2021, and most recently observed their activity in April of 2023.\r\nThe group displays a preference for Graphical User Interface (GUI) tools, specifically an older version of S3\r\nBrowser (version 9.5.5, released January of 2021) for their initial operations. Upon gaining AWS Management\r\nConsole access, they conduct their operations directly through the web browser.\r\nThe source IP addresses associated with the attacker's activities are linked to two (2) specific Indonesian\r\nAutonomous System Numbers (ASNs) - PT. Telekomunikasi Selula and PT Telekomunikasi Indonesia.\r\nIn their typical attack lifecycle, GUI-vil initially performs reconnaissance by monitoring public sources for\r\nexposed AWS keys (GitHub, Pastebin) and scanning for vulnerable GitLab instances. Initial compromises are\r\npredominantly achieved via exploiting known vulnerabilities such as CVE-2021-22205, or via using publicly\r\nexposed credentials.\r\nGUI-vil, unlike many groups focused on crypto mining, apply a personal touch when establishing a foothold in an\r\nenvironment. They attempt to masquerade as legitimate users by creating usernames that match the victim’s\r\nnaming standard, or in some cases taking over existing users by creating login profiles for a user where none\r\nexisted (takeover activity appearing as iam:GetLoginProfile failure followed by successful\r\niam:CreateLoginProfile ).\r\nThe group's primary mission, financially driven, is to create EC2 instances to facilitate their crypto mining\r\nactivities. In many cases the profits they make from crypto mining are just a sliver of the expense the victim\r\norganizations have to pay for running the EC2 instances.\r\nAttacker Attributes\r\nHighlights:\r\nUnlike many commodity threat actors in the cloud that rely on automation, GUI-vil are engaged attackers\r\nat the keyboard, ready to adapt to whatever situation they are in.\r\nThey are allergic to CLI utilities, using S3 Browser and AWS Management Console via web browsers as\r\ntheir tooling.\r\nThey apply a personal touch. They model the name of their IAM Users, and sometimes their policies,\r\nkeypairs, etc., on what they find present in the environment. Often time this helps them blend in.\r\nThey fight hard to maintain access in an environment when defenders find them. They don’t just tuck their\r\ntail and leave.\r\nThey often make mistakes by leaving S3 Browser defaults.\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 2 of 22\n\n“ \u003cYOUR-BUCKET-NAME\u003e ” being a favorite, but also default policy and IAM user names\r\n{\r\n\"userName\": \"FileBackupAccount\",\r\n\"policyName\": \"dq\",\r\n\"policyDocument\": \"{\\\\r\\\\n \\\\\"Statement\\\\\": [\\\\r\\\\n {\\\\r\\\\n \\\\\"Effect\\\\\": \\\\\"Allow\\\\\",\\\\r\\\\n \\\\\"Action\\\\\": \\\\\"s3\r\n}\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 3 of 22\n\nExample request parameters from iam:PutUserPolicy event in CloudTrail logs\r\nMission\r\nGUI-vil is a financially motivated threat actor, that leverages compromised credentials to spin up EC2 instances\r\nfor use in crypto mining.\r\nTooling\r\nGUI-vil leverages mostly GUI tools in their attacks. Initial access, reconnaissance, and persistence are all\r\ncompleted using the GUI utility S3 Browser. We have observed the threat actors continued use of the same version\r\nof S3 Browser (version 9.5.5, released January of 2021) to carry out their attacks since November 13, 2021. Once\r\nGUI-vil is able to create or take ownership of an IAM user with AWS Management Console access, they perform\r\nthe rest of their activities directly through the web browser and AWS Management Console.\r\nHours of operations (UTC/GMT)\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 4 of 22\n\nInfrastructure\r\nAll source addresses the attacker has originated from belong to two ASNs in Indonesia\r\nPT. Telekomunikasi Selula\r\nPT Telekomunikasi Indonesia\r\nVictimology\r\nGUI-vil is an equal opportunity attacker. Rather than targeting specific organizations, they are opportunistic and\r\nwill attempt to attack any organization for which they can discover compromised credentials.\r\nAttacker Lifecycle\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 5 of 22\n\nInitial Recon\r\nIn order to support their mechanisms for initial access, GUI-vil performs two (2) main forms of reconnaissance:\r\nMonitoring common public sources for exposed AWS access keys such as GitHub and Pastebin.\r\nScanning for vulnerable versions of software repositories such as GitLab.\r\nInitial Compromise \u0026 Establishing Foothold\r\nWe have observed this threat actor leverage two (2) methods of initial compromise:\r\nLeverage CVE-2021-22205 to gain Remote Code Execution (RCE) on vulnerable GitLab instances. Once\r\nGitLab is exploited the threat actor reviews repositories for AWS access keys.\r\nIn most instances this threat actor is able to find publicly exposed credentials and directly leverage them.\r\nThe discovered access keys become their foothold into the AWS environment. They validate the access key and\r\nsecret are active credentials by entering them into the Windows GUI utility S3 Browser, which will first execute\r\nthe ListBuckets command against the S3 service.\r\n{\r\n\"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/external_audit\",\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 6 of 22\n\n\"accountId\": \"redacted\",\r\n \"accessKeyId\": \"AKIA******\",\r\n \"userName\": \"external_audit\"\r\n},\r\n \"eventTime\": \"2023-04-18T14:47:39.0000000Z\",\r\n \"eventSource\": \"s3.amazonaws.com\",\r\n \"eventName\": \"ListBuckets\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"[S3 Browser 9.5.5 https://s3browser.com]\",\r\n \"requestParameters\": {\r\n \"Host\": \"s3.us-east-1.amazonaws.com\"\r\n},\r\n \"responseElements\": null,\r\n \"requestID\": \"T1ACJXN3EJQ4T58X\",\r\n \"eventID\": \"af6814ab-10e1-4c8a-88b6-384874592519\",\r\n \"readOnly\": true,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"redacted\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.2\",\r\n \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"clientProvidedHostHeader\": \"s3.us-east-1.amazonaws.com\"\r\n},\r\n \"additionalEventData\": {\r\n \"SignatureVersion\": \"SigV4\",\r\n \"CipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"bytesTransferredIn\": 0,\r\n \"AuthenticationMethod\": \"AuthHeader\",\r\n \"x-amz-id-2\": \"2ZRMAF9dvfjiLRZq1UoaE6tspOgoHk4X/Vtvjb8orWdQPGgJQiOuXhn13eOL3s4+BY/+Fuf7ZxE=\",\r\n \"bytesTransferredOut\": 389\r\n}\r\n}\r\nEscalate Privileges\r\nGiven that cloud credentials are often grossly over-privileged, this threat actor does not often need to elevate their\r\nprivileges. In one attack by GUI-vil though, the credentials the threat actor started with had read-only permissions\r\nacross all services. The attacker used these credentials to review data in all available S3 buckets, and was able to\r\nfind credentials with full administrator privileges in a Terraform tfstate file.\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 7 of 22\n\nInternal Recon\r\nGUI-vil has two (2) main methods of performing internal reconnaissance:\r\nReview of accessible S3 buckets\r\nExploring what services are accessible and utilized by the victim organization via the AWS Management\r\nConsole.\r\nServices we have observed them exploring (in order of descending prevalence) include:\r\nec2.amazonaws.com\r\nhealth.amazonaws.com\r\niam.amazonaws.com\r\norganizations.amazonaws.com\r\nelasticloadbalancing.amazonaws.com\r\nautoscaling.amazonaws.com\r\nmonitoring.amazonaws.com\r\ncloudfront.amazonaws.com\r\nbillingconsole.amazonaws.com\r\ns3.amazonaws.com\r\ncompute-optimizer.amazonaws.com\r\nce.amazonaws.com\r\ndynamodb.amazonaws.com\r\nconfig.amazonaws.com\r\nram.amazonaws.com\r\nssm.amazonaws.com\r\nkms.amazonaws.com\r\nsecurityhub.amazonaws.com\r\nservicecatalog-appregistry.amazonaws.com\r\nsts.amazonaws.com\r\ncloudtrail.amazonaws.com\r\ntrustedadvisor.amazonaws.com\r\nlogs.amazonaws.com\r\ndax.amazonaws.com\r\nsso.amazonaws.com\r\nsupport.amazonaws.com\r\naccount.amazonaws.com\r\nelasticfilesystem.amazonaws.com\r\nresource-groups.amazonaws.com\r\nds.amazonaws.com\r\ntagging.amazonaws.com\r\ncloudhsm.amazonaws.com\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 8 of 22\n\naccess-analyzer.amazonaws.com\r\nresource-explorer-2.amazonaws.com\r\nAdditionally, we observed GUI-vil monitoring CloudTrail logs for changes that the victims’ organizations were\r\nmaking when trying to evict GUI-vil from their environments. This allowed GUI-vil to adapt their persistence to\r\nbypass restrictions the victim organization was putting in place.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/andy\",\r\n \"accountId\": \"redacted\",\r\n \"accessKeyId\": \"ASIA****\",\r\n \"userName\": \"andy\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {},\r\n \"webIdFederationData\": {},\r\n \"attributes\": {\r\n \"creationDate\": \"2023-04-19T01:16:27.0000000Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n}\r\n},\r\n \"eventTime\": \"2023-04-19T01:21:14.0000000Z\",\r\n \"eventSource\": \"cloudtrail.amazonaws.com\",\r\n \"eventName\": \"LookupEvents\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"AWS Internal\",\r\n \"requestParameters\": {\r\n \"maxResults\": 50,\r\n \"lookupAttributes\": [\r\n {\r\n \"attributeKey\": \"ReadOnly\",\r\n \"attributeValue\": \"false\"\r\n }\r\n]\r\n}\r\nMaintain Presence (IAM)\r\nIn order to maintain a presence in the victim organization, GUI-vil has leveraged several different mechanisms.\r\nBased on observed activity, they exclusively utilize S3 Browser to make creations and modifications to the IAM\r\nservice.\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 9 of 22\n\nGUI-vil will often create new IAM users to maintain ensure they can persist in an environment in case their\r\noriginal compromised credentials are discovered. When creating IAM users GUI-vil will often attempt to\r\nconform to the naming standards of existing IAM users. For example, in one environment they created a\r\nuser named\r\nsec_audit\r\nwhich they modelled off of other audit users in the organization. They do often move too fast for their own\r\ngood, sometimes forgetting to take out the default name that S3 Browser supplies when creating a new\r\nuser.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/terraform\",\r\n \"accountId\": \"redacted\",\r\n \"userName\": \"terraform\",\r\n \"accessKeyId\": \"AKIA*****\"\r\n },\r\n \"eventTime\": \"2023-04-18T15:05:27.0000000Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 10 of 22\n\n\"eventName\": \"CreateUser\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"S3 Browser 9.5.5 \u003chttps://s3browser.com\u003e\",\r\n \"requestParameters\": {\r\n \"userName\": \"sec_audit\",\r\n \"path\": \"/\"\r\n },\r\n \"responseElements\": {\r\n \"user\": {\r\n \"arn\": \"arn:aws:iam::redacted:user/sec_audit\",\r\n \"userName\": \"sec_audit\",\r\n \"userId\": \"redacted\",\r\n \"createDate\": \"Apr 18, 2023 3:05:27 PM\",\r\n \"path\": \"/\"\r\n }\r\n}\r\nGUI-vil will also create access keys for the new identities they are creating so they can continue usage of\r\nS3 Browser with these new users.\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 11 of 22\n\nGUI-vil will create login profiles, to enable access to AWS Management Console. We have observed GUI-vil apply this tactic to avoid the noise of creating a new user. They look for identities that do not have login\r\nprofiles and, once found, create a login profile. This allows the attacker to inherit the permissions of that\r\nidentity and stay under the radar of security teams that do not monitor new login profiles being created.\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/terraform\",\r\n \"accountId\": \"redacted\",\r\n \"accessKeyId\": \"AKIA****\",\r\n \"userName\": \"terraform\"\r\n },\r\n \"eventTime\": \"2023-04-18T15:27:22.0000000Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"GetLoginProfile\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"S3 Browser 9.5.5 \u003chttps://s3browser.com\u003e\",\r\n \"requestParameters\": {\r\n \"userName\": \"andy\"\r\n },\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 12 of 22\n\n\"responseElements\": null,\r\n \"requestID\": \"33147b1e-f106-440e-b63a-f4fca8da0170\",\r\n \"eventID\": \"7d7ad4e4-3f50-42d1-af4f-6d7db737ecdb\",\r\n \"readOnly\": true,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"redacted\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.2\",\r\n \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"clientProvidedHostHeader\": \"iam.amazonaws.com\"\r\n },\r\n \"errorCode\": \"NoSuchEntityException\",\r\n \"errorMessage\": \"Login Profile for User andy cannot be found.\"\r\n}\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/terraform\",\r\n \"accountId\": \"redacted\",\r\n \"accessKeyId\": \"AKIA****\",\r\n \"userName\": \"terraform\"\r\n },\r\n \"eventTime\": \"2023-04-18T15:27:29.0000000Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"CreateLoginProfile\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"S3 Browser 9.5.5 \u003chttps://s3browser.com\u003e\",\r\n \"requestParameters\": {\r\n \"userName\": \"andy\",\r\n \"passwordResetRequired\": false\r\n },\r\n \"responseElements\": {\r\n \"loginProfile\": {\r\n \"userName\": \"andy\",\r\n \"createDate\": \"Apr 18, 2023 3:27:29 PM\",\r\n \"passwordResetRequired\": false\r\n }\r\n},\r\n \"requestID\": \"281e395e-3614-44f6-8531-5bcdca3a5507\",\r\n \"eventID\": \"4ced3dd4-1ab7-4e23-b659-7ca7d88c5d6e\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsApiCall\",\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 13 of 22\n\n\"managementEvent\": true,\r\n \"recipientAccountId\": \"redacted\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\n \"tlsVersion\": \"TLSv1.2\",\r\n \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"clientProvidedHostHeader\": \"iam.amazonaws.com\"\r\n }\r\niam:GetLoginProfile with error showing that a login profile does not currently exist\r\n{\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"IAMUser\",\r\n \"principalId\": \"redacted\",\r\n \"arn\": \"arn:aws:iam::redacted:user/terraform\",\r\n \"accountId\": \"redacted\",\r\n \"accessKeyId\": \"AKIA****\",\r\n \"userName\": \"terraform\"\r\n },\r\n \"eventTime\": \"2023-04-18T15:27:29.0000000Z\",\r\n \"eventSource\": \"iam.amazonaws.com\",\r\n \"eventName\": \"CreateLoginProfile\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"S3 Browser 9.5.5 https://s3browser.com\",\r\n \"requestParameters\": {\r\n \"userName\": \"andy\",\r\n \"passwordResetRequired\": false\r\n },\r\n \"responseElements\": {\r\n \"loginProfile\": {\r\n \"userName\": \"andy\",\r\n \"createDate\": \"Apr 18, 2023 3:27:29 PM\",\r\n \"passwordResetRequired\": false\r\n }\r\n},\r\n \"requestID\": \"281e395e-3614-44f6-8531-5bcdca3a5507\",\r\n \"eventID\": \"4ced3dd4-1ab7-4e23-b659-7ca7d88c5d6e\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"redacted\",\r\n \"eventCategory\": \"Management\",\r\n \"tlsDetails\": {\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 14 of 22\n\n\"tlsVersion\": \"TLSv1.2\",\r\n \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n \"clientProvidedHostHeader\": \"iam.amazonaws.com\"\r\n }\r\n}\r\niam:CreateLoginProfile for the user that did not have a login profile already defined\r\nWhen GUI-vil creates IAM users, they also directly attach an inline policy via iam:PutUserPolicy to grant their\r\nuser full privileges.\r\n{\r\n \"userName\": \"backup\",\r\n \"policyName\": \"backupuser\",\r\n \"policyDocument\": \"{\\\\r\\\\n \\\\\"Statement\\\\\": [\\\\r\\\\n {\\\\r\\\\n \\\\\"Effect\\\\\": \\\\\"Allow\\\\\",\\\\r\\\\n \\\\\"Action\\\\\r\n}\r\niam:PutUserPolicy to add inline policy granting full privileges to newly created user\r\nMaintain Presence (EC2)\r\nWhile they can maintain presence on the infrastructure level via the users and access keys they have created or\r\ntaken over, the attacker can also maintain persistence to the environment via EC2. Simply by being able to\r\nconnect to the EC2 instance they can assume the credentials of the EC2 instance. Often times the attacker will\r\nexecute ec2:CreateKeyPair , enabling them to connect to the EC2 instance directly via SSH which they ensure is\r\nopen to the internet on any EC2 instances they create.\r\n\"data\": {\r\n \"eventVersion\": \"1.08\",\r\n \"userIdentity\": {\r\n \"type\": \"AssumedRole\",\r\n \"principalId\": \"AROA****:andy\",\r\n \"arn\": \"arn:aws:sts::redacted:assumed-role/AdminUser/andy\",\r\n \"accountId\": \"redacted\",\r\n \"accessKeyId\": \"ASIA*****\",\r\n \"sessionContext\": {\r\n \"sessionIssuer\": {\r\n \"type\": \"Role\",\r\n \"principalId\": \"AROA****\",\r\n \"arn\": \"arn:aws:iam::redacted:role/AdminUser\",\r\n \"accountId\": \"redacted\",\r\n \"userName\": \"AdminUser\"\r\n },\r\n \"webIdFederationData\": {},\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 15 of 22\n\n\"attributes\": {\r\n \"creationDate\": \"2023-04-18T15:30:24.0000000Z\",\r\n \"mfaAuthenticated\": \"false\"\r\n }\r\n}\r\n},\r\n \"eventTime\": \"2023-04-18T15:33:12.0000000Z\",\r\n \"eventSource\": \"ec2.amazonaws.com\",\r\n \"eventName\": \"CreateKeyPair\",\r\n \"awsRegion\": \"us-east-1\",\r\n \"sourceIPAddress\": \"36.85.110.142\",\r\n \"userAgent\": \"AWS Internal\",\r\n \"requestParameters\": {\r\n \"keyName\": \"su32\",\r\n \"keyType\": \"rsa\",\r\n \"keyFormat\": \"ppk\"\r\n },\r\n \"responseElements\": {\r\n \"requestId\": \"21e1134f-109e-4b4a-bea8-cc651b9e0db8\",\r\n \"keyName\": \"su32\",\r\n \"keyFingerprint\": \"e9:86:03:1e:81:4e:65:fb:78:41:f0:32:e0:29:ff:6e:9b:0e:fe:f0\",\r\n \"keyPairId\": \"key-0123456789abcdef0\",\r\n \"keyMaterial\": \"\u003csensitiveDataRemoved\u003e\"\r\n },\r\n \"requestID\": \"21e1134f-109e-4b4a-bea8-cc651b9e0db8\",\r\n \"eventID\": \"9338ea0b-b929-4a76-b024-2b3ea36cd484\",\r\n \"readOnly\": false,\r\n \"eventType\": \"AwsApiCall\",\r\n \"managementEvent\": true,\r\n \"recipientAccountId\": \"redacted\",\r\n \"eventCategory\": \"Management\",\r\n \"sessionCredentialFromConsole\": \"true\"\r\n}\r\nec2:CreateKeyPair to create public and private key pair for remote access\r\n{\r\n \"groupId\": \"sg-0123456789abcdef0\",\r\n \"ipPermissions\": {\r\n \"items\": [\r\n {\r\n \"ipRanges\": {\r\n \"items\": [\r\n {\r\n \"cidrIp\": \"0.0.0.0/0\"\r\n }\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 16 of 22\n\n]\r\n},\r\n \"prefixListIds\": {},\r\n \"fromPort\": 22,\r\n \"toPort\": 22,\r\n \"groups\": {},\r\n \"ipProtocol\": \"tcp\",\r\n \"ipv6Ranges\": {}\r\n }\r\n]\r\n}\r\nec2:AuthorizeSecurityGroupIngress to add inbound (ingress) rule for port 22 to specified security group\r\nComplete Mission\r\nGUI-vil is financially motivated. They create EC2 instances in victim AWS organizations that they then use for\r\ncrypto mining. Often times as they encounter resource limitations set by the victim organizations they will switch\r\nto other regions and attempt again.\r\nAll EC2 instances they created have had these attributes:\r\nSize xlarge and bigger (c4.4xlarge, p3.16xlarge, p3.2xlarge, p3.8xlarge)\r\nTCP/22 open to 0.0.0.0\r\nIPv4 Enabled, IPv6 Disabled\r\nDetailed CloudWatch monitoring disabled\r\nXen hypervisor\r\nOnce an EC2 instance is created they connect to it via SSH, install required packages, then install and launch\r\nXMRIG:\r\napt-get update\r\napt-get install git build-essential cmake libuv1-dev libssl-dev libhwloc-dev -y\r\n/home/ubuntu/xmrig\r\nIndicators\r\nAtomic Indicators\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 17 of 22\n\nIndicator Type Notes\r\n182.1.229.252 IPv4 PT. Telekomunikasi Selular\r\n114.125.247.101 IPv4 PT. Telekomunikasi Selula\r\n114.125.245.53 IPv4 PT. Telekomunikasi Selula\r\n114.125.247.101 IPv4 PT. Telekomunikasi Selula\r\n114.125.232.189 IPv4 PT. Telekomunikasi Selula\r\n114.125.228.81 IPv4 PT. Telekomunikasi Selula\r\n114.125.229.197 IPv4 PT. Telekomunikasi Selula\r\n114.125.246.235 IPv4 PT. Telekomunikasi Selula\r\n114.125.246.43 IPv4 PT. Telekomunikasi Selula\r\n36.85.110.142 IPv4 PT Telekomunikasi Indonesia\r\nS3 Browser 9.5.5\r\nhttps://s3browser.com/\r\nUA\r\n[S3 Browser 9.5.5\r\nhttps://s3browser.com/\r\n]\r\nUA\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 18 of 22\n\nsu32\r\nSSH Key\r\nName\r\nnew-user-\u003c8 alphanumeric\r\ncharacters\u003e\r\nIAM User\r\ndefault naming standard for creating a user with S3\r\nBrowser\r\nsec_audit IAM User\r\nsdgs IAM Policy\r\nter IAM Policy\r\nbackup IAM User\r\ndq IAM Policy\r\nDetections\r\nPermiso CDR Rules\r\nPermiso clients are protected from these attackers by the following detections:\r\nPermiso Detections\r\nP0_AWS_S3_BROWSER_USERAGENT_1\r\nP0_MULTI_NEFARIOUS_USERAGENT_1\r\nP0_AWS_SUSPICIOUS_ACCOUNT_NAME_CREATED_1\r\nP0_GENERAL_SUSPICIOUS_ACCOUNT_NAME_CREATED_1\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 19 of 22\n\nP0_COMMON_USER_ACTIVITY_NO_MFA_1\r\nP0_AWS_IAM_INLINE_POLICY_ALLOW_ALL_1\r\nP0_AWS_IAM_INLINE_POLICY_SHORT_NAME_1\r\nP0_AWS_IAM_INLINE_POLICY_PASSROLE_1\r\nP0_AWS_IAM_INLINE_POLICY_TEMPLATE_LANGUAGE_1\r\nP0_AWS_EC2_MULTI_REGION_INSTANCE_CREATIONS_1\r\nP0_AWS_HUMAN_CREATED_LARGE_EC2_1\r\nP0_AWS_EC2_STARTED_CIDR_FULL_OPEN_PORT_22_1\r\nFor folks not on the Permiso platform, here are some basic sigma rules that can be used to identify GUI-vil:\r\nS3 Browser - IAM Policy w/Templated Language\r\ntitle: AWS IAM S3Browser Templated S3 Bucket Policy Creation id: db014773-7375-4f4e-b83b-133337c0ffee status: e\r\ndescription: Detects S3 Browser utility creating Inline IAM Policy containing default S3 bucket name placeholder\r\nreferences:\r\n - \u003chttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\u003e author: daniel.bohannon@permiso.io (@dani\r\ndate: 2023/05/17 modified: 2023/05/17 tags:\r\n - attack.execution\r\n - attack.t1059.009 - attack.persistence\r\n - attack.t1078.004 logsource:\r\n product: aws\r\n service: cloudtrail\r\ndetection:\r\n selection_source:\r\n eventSource: iam.amazonaws.com\r\n eventName: PutUserPolicy\r\n filter_tooling:\r\n userAgent|contains: 'S3 Browser'\r\n filter_policy_resource:\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 20 of 22\n\nrequestParameters|contains: '\"arn:aws:s3:::\u003cYOUR-BUCKET-NAME\u003e/*\"' filter_policy_action:\r\n requestParameters|contains: '\"s3:GetObject\"' filter_policy_effect:\r\n requestParameters|contains: '\"Allow\"' condition: selection_source and filter_tooling and filter_policy_reso\r\nfalsepositives:\r\n - Valid usage of S3 Browser with accidental creation of default Inline IAM Policy without changing default S\r\nlevel: high\r\nS3 Browser - IAM LoginProfile\r\ntitle: AWS IAM S3Browser LoginProfile Creation id: db014773-b1d3-46bd-ba26-133337c0ffee status: experimental\r\ndescription: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a Login\r\nreferences:\r\n - \u003chttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\u003e author: daniel.bohannon@permiso.io (@dani\r\ndate: 2023/05/17 modified: 2023/05/17 tags:\r\n - attack.execution\r\n - attack.t1059.009 - attack.persistence\r\n - attack.t1078.004 logsource:\r\n product: aws\r\n service: cloudtrail\r\ndetection:\r\n selection_source:\r\n eventSource: iam.amazonaws.com\r\n eventName:\r\n - GetLoginProfile\r\n - CreateLoginProfile\r\n filter_tooling:\r\n userAgent|contains: 'S3 Browser'\r\n condition: selection_source and filter_tooling\r\nfalsepositives:\r\n - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation\r\nlevel: high\r\nS3 Browser - IAM User and AccessKey\r\ntitle: AWS IAM S3Browser User or AccessKey Creation id: db014773-d9d9-4792-91e5-133337c0ffee status: experiment\r\ndescription: Detects S3 Browser utility creating IAM User or AccessKey.\r\nreferences:\r\n - \u003chttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\u003e author: daniel.bohannon@permiso.io (@dani\r\ndate: 2023/05/17 modified: 2023/05/17 tags:\r\n - attack.execution\r\n - attack.t1059.009 - attack.persistence\r\n - attack.t1078.004 logsource:\r\n product: aws\r\n service: cloudtrail\r\ndetection:\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 21 of 22\n\nselection_source:\r\n eventSource: iam.amazonaws.com\r\n eventName:\r\n - CreateUser\r\n - CreateAccessKey\r\n filter_tooling:\r\n userAgent|contains: 'S3 Browser'\r\n condition: selection_source and filter_tooling\r\nfalsepositives:\r\n - Valid usage of S3 Browser for IAM User and/or AccessKey creation\r\nlevel: high\r\nObserved Events (write level):\r\nec2:AuthorizeSecurityGroupIngress\r\nec2:CreateKeyPair\r\nec2:CreateSecurityGroup\r\nec2:CreateTags\r\nec2:RunInstances\r\nec2:TerminateInstances\r\niam:CreateAccessKey\r\niam:CreateLoginProfile\r\niam:CreateUser\r\niam:DeleteAccessKey\r\niam:DeleteLoginProfile\r\niam:DeleteUser\r\niam:DeleteUserPolicy\r\niam:PutUserPolicy\r\nsignin:ExitRole\r\nsignin:SwitchRole\r\nSource: https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor/"
	],
	"report_names": [
		"unmasking-guivil-new-cloud-threat-actor"
	],
	"threat_actors": [],
	"ts_created_at": 1775446634,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/648059410b31d7948d6a21efa176ee403206b782.pdf",
		"text": "https://archive.orkl.eu/648059410b31d7948d6a21efa176ee403206b782.txt",
		"img": "https://archive.orkl.eu/648059410b31d7948d6a21efa176ee403206b782.jpg"
	}
}