Researchers at Cado Security have discovered a new malware family targeting cloud services to mine cryptocurrency.
Dubbed CoinStomp, the malware is compromised of shell scripts that “attempt to exploit cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrency,” according to Cado Security.
The firm’s researchers say that the overall purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency, a form of attack known as cryptojacking.
A number of attack attempts have been focused, so far, on cloud service providers in Asia.
Clues in code also referenced Xanthe, a cryptojacking threat group recently tied to the Abcbot botnet. However, the clue – found in a defunct payload URL – is not enough to firmly establish who is responsible for CoinStomp and may have been included in “an attempt to foil attribution,” according to the team.
CoinStomp has a number of advanced features, one of which is “timestomping”. This involves the maniuplation of timestamps by using a special Linux command, and can update file modification and access times.
“It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command,” Cado Security noted.
In addition, the malware will attempt to tamper with Linux server cryptographic policies. These policies can prevent malicious executables from being dropped or executed, and so CoinStomp’s developer has included features to disable system-wide cryptographic policies through a kill command.
“This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives,” the researchers say.
CoinStomp will then establish a connection to its command-and-control (C2) server via a reverse shell. The script then downloads and executes further payloads as system-wide systemd services, complete with root privileges.
These include binaries to potentially create backdoors and a custom version of XMRig, legitimate Monero mining software abused for criminal purposes.
“CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space,” Cado Security says. “Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures but also an understanding of the incident response process.”
Protecting Your Cryptocurrency Against Coinstomp Malware
Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.