HQ/EMEAFind out how we can help your business
An alleged Romanian-based threat campaign, Color1337 cryptojacking operation, targeted devices running on Linux OS. Based on reports, the campaign uses a botnet that could propagate to other networks while mining Monero.
The researchers initially detected the attacks in a Honeypot from France after deploying the Ubuntu 22[.]04. Moreover, the threat operators claimed that they were the ElPatrono1227 group that utilised an SSH brute-force method to acquire initial access to their targeted network.
Subsequently, the group downloads a shell script dubbed uhQCCSpB from an attacker-controlled infrastructure and executes it on the compromised device. In addition, the researchers stated that the shell script is a modified variant of Linux[.]MulDrop[.]14 or UNIX_PIMINE[.]A bot. The threat actors originally designed the Linux[.]MulDrop[.]14 to target other IoT machines.
The Color1337 cryptojacking adds numerous commands to run more attacks on a targeted device.
According to investigations, the Color1337 cryptojacking operation executes the uhQCCSpB to allow them to run additional malicious prompts on its compromised targets.
The operation kills all other miner malware on the infected device to free the resources. Subsequently, the script will review the number of processing cores available on the target.
If the device has more than four cores, it will employ the FastAndSteady function that installs the Monero miner diicot. Moreover, the attack will leverage the compromised device’s resources for cryptomining.
On the other hand, if the targeted device has less than four cores, the campaign will adopt the SlowAndSteady ability. This ability could infect other machines linked to the network.
Lastly, the attackers will store the exfiltrated database via Discord webhooks. Eventually, the attacker will send POST requests to the attacker-controlled Discord server, which keeps details regarding the devices’ default credentials.
The Color1337 cryptojacking is a direct malicious threat. The campaign shows how the attackers could operate simple actions that could inflict massive damage. Furthermore, the operators use Discord functions to obfuscate their malicious traffic, making their attacks challenging to trace and observe.
To avoid these attacks, Linux-based users should know the significance of constant monitoring and access to exposed resources and traffic.
