HQ/EMEAFind out how we can help your business
The newly discovered Sobolan malware campaign is ongoing with malicious activity that targets computing infrastructures.
According to reports, Jupyter Notebooks is the primary target of this activity. Hence, the malware operation could pose a severe risk to cloud-native environments.
The researchers explained that the hostile payload uses a multi-stage attack chain to breach and compromise systems. Moreover, the campaign can deploy cryptominers and install backdoors to establish persistence on infected devices.
The Sobolan malware attack starts by exploiting the JupyterLab instance.
Investigations revealed that the Sobolan malware campaign was initiated by exploiting an unauthenticated JupyterLab instance.
This tactic could allow its operators to download a compressed archive that contains malicious binaries and shell scripts. Once executed, these scripts start a sequence of operations that aim to control system resources for cryptomining, establishing persistence, and bypassing security detection.
Additionally, the malware exploits various ways to remain active on the breached system. One of these tactics is that it alters the ~/.bashrc file to display a bogus login prompt. This strategy could effectively block terminal access unless the attacker’s hardcoded password is entered. It also sets up cron jobs to ensure harmful components continue running.
Furthermore, the hackers use a variety of binaries and scripts to achieve their objectives. The lol and lol1 scripts run the cryptominers pythonlol and sobolan, while the noob script terminates programs with high CPU utilisation, most likely to prevent interference with the cryptomining operation.
The run binary checks the SSH credentials before executing the apachelogs binary, which runs a service that terminates other cryptominers and launches the syst3md cryptominer.
This activity shows the severity of the growing risks that enterprises confront while using cloud-based interactive computing systems. Exploiting unauthenticated instances and deploying sophisticated malware like Sobolan indicates that firms should employ strong security measures in cloud-native settings.
Organisations should build strong authentication systems, update software regularly to patch vulnerabilities, and use runtime security solutions to identify and prevent cybercriminal activities like this newly discovered campaign.
