October 18, 2023 at 08:15AM
A new campaign called Qubitstrike has emerged, targeting exposed Jupyter Notebooks to mine cryptocurrency and breach cloud environments. The threat actor, likely from Tunisia, uses the Telegram API to steal credentials and launch the attack. The primary payload is a shell script that executes a cryptocurrency miner, establishes persistence, and spreads malware. The attacker also uses a Python implant to control infected hosts through Discord. Qubitstrike is a sophisticated malware campaign focusing on exploiting cloud services for resource hijacking and potential attacks.
Key points from the meeting notes on the Qubitstrike cryptocurrency mining campaign:
– A threat actor, possibly from Tunisia, has been linked to the Qubitstrike campaign, which targets exposed Jupyter Notebooks for cryptocurrency mining and breaching cloud environments.
– The campaign utilizes the Telegram API to exfiltrate credentials from cloud service providers after compromising publicly accessible Jupyter instances.
– The primary payload is a shell script called mi.sh, which executes a cryptocurrency miner, establishes persistence, inserts an attacker-controlled key for remote access, and spreads the malware via SSH.
– The malware also installs the Diamorphine rootkit and transmits captured AWS and Google Cloud credentials back to the attacker.
– Legitimate data transfer utilities like curl and wget are renamed to evade detection, and existing network connections to certain IP addresses associated with cryptojacking campaigns are killed.
– Steps are taken to delete Linux log files to avoid detection.
– The threat actor’s origins are unclear, but evidence suggests it could be Tunisia.
– A Python implant called kdfs.py is used for command-and-control (C2) through Discord.
– The connection between mi.sh and kdfs.py is unknown, but it’s suspected that the Python backdoor facilitates the deployment of the shell script.
– Qubitstrike is a sophisticated campaign focused on exploiting cloud services, with the primary objective of resource hijacking for cryptocurrency mining.
– Further analysis of the Discord C2 infrastructure reveals the potential for various other attacks once the vulnerable hosts are accessed.
Please note that the information provided is based on the meeting notes and may require further investigation or verification.