Hackers behind a cryptomining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency, researchers said.
The attack technique is script-based and dubbed “Autom”, because it exploits the file “autom.sh”. Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have varied – allowing adversaries to fly under the radar, wrote Aquasec’s research arm Team Nautilus in a report published Wednesday.
Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said. Researchers also report attacks on honeypots decreased significantly this year, while overall targeting of poorly configured Docker APIs did not, according to a Shodan search, researchers noted.
“This decrease in attacks on our honeypots might imply that the attackers identified them and therefore reduced the volume of their attacks in 2021,” they wrote.
Though attackers use the same entry point and tactics to achieve their ultimate goal of cryptomining during the attack vector, what changed most about the attack over the years is how threat actors constantly have evolved evasive maneuvers to avoid detection, researchers said.
“We saw the progression of the campaign in the tactics that the adversaries use to avoid detection,” they wrote in the report.
Attackers also have used five different servers to download the shell script that initiates the attack since they started, they said. “It seems that the group behind the attack has developed their skills to expand the attack surface and spread their attack,” researchers wrote.
Attack Breakdown
Team Nautilus first observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.sh shell script, they said in the report. Adversaries commonly use vanilla images along with malicious commands to perform attacks because most organizations trust these images and allow their use, researchers explained.
Attackers consistently have used the same entry point for the attack, which is executed from a remote server that searches for vulnerable hosts to exploit misconfigured Docker APIs, they wrote.
Then they run the vanilla image and subsequent malicious shell, which creates a user by two methods—adduser, which adds users by setting up the account’s home folder and other settings, and useradd, a low-level utility command for adding users–under the name akay.
Since the newly created user is not privileged, the threat actors elevate privileges by using the “sudo” prefix and then turns it into a root user, which grants unlimited privileges to run any command sudoers file. This controls how sudo works on a targeted machine, basically making the threat actor a superuser, researchers wrote.
Attackers then use the domain icanhazip[.]com to get the public IP address of the compromised host and use it to download a file from the remove server. Through these series of steps, attackers install a backdoor that grants them persistence on the compromised host to stealthily mine cryptocurrency, researchers wrote.
Evasive Maneuvers
While attackers have barely changed how they gain entry and achieve persistence on victims’ machines since they started the Autom campaign, they have changed two things–the server from which the shell script autom.sh was downloaded and, more notably, specific evasion tactics, researchers said.
To the latter point, Team Nautilus has observed the campaign evolving from having no “special techniques” for hiding its nefarious business in 2019 to adding more complex concealment tactics over the next two years, researchers said.
In 2020, they disabled a number of security mechanisms to stay hidden, including ufw (Uncomplicated Firewall), which enables users to allow or deny access to a service and NMI (non-maskable interrupt), which is the highest-priority interrupt that typically occurs to signal attention for non-recoverable hardware errors and is used to monitor system resets.
This year, attackers added a new technique to hide the cryptomining activity by downloading an obfuscated shell script from a remote server, researchers said.
“They encoded the script in base64 five times to prevent security tools from reading it and understanding the intentions behind it,” they wrote. “Decoding the script revealed the mining activity.”
Other concealment capabilities added over the course of the campaign included downloading the log_rotate.bin script, which launches the cryptomining activity by creating a new cron job that will initiate mining every 55 minutes on the compromised host, researchers added.
“The Autom campaign illustrates that attackers are becoming more sophisticated, continually improving their techniques and their ability to avoid detection by security solutions,” they observed.