Tehtris, a cybersecurity company, recently conducted an investigation into a cryptojacking campaign that has been targeting Linux machines. The campaign, dubbed Color1337, involves the use of a bot called uhQCCSpB that installs and launches a Monero miner on the infected machine.
After killing all other miners on the device, the attacker uses two different strategies to maximize access to the compromised Linux machine.
For machines with more than four cores, the diicot cryptominer is launched, while machines with four or less cores execute the “SlowAndSteady” option.
The payload bash script contains Romanian language, indicating the region of origin of the actor who wrote it. The attacker refers to himself as “ElPatrono1337”, and 1337 is a recurrent value in the attack, being the port on which the actor retrieves data from the compromised machines, as well as the color value chosen as a parameter for the Discord webhooks.
The attacker uses Discord’s webhooks feature to store exfiltrated data.
Tehtris has observed that the compromised machine sends POST requests to the Discord server owned by the attacker, containing default credentials of other devices.
By using an infected machine to collect this type of information, the attacker can dilute the exploration phase among many other machines and IP addresses, making it harder to trace back to the original source of the attack.
What are your thoughts on the use of popular messaging apps like Discord and Telegram by attackers to store exfiltrated data? Do you think companies should monitor connections to these apps to better protect themselves against such attacks? Leave a reply and let us know.