Crypto-Mining Hacking Groups Wage War in the Cloud

Two hacking groups connected to large-scale malicious crypto-mining campaigns have been targeting each other’s cryptominers as part of an ongoing battle to get control of vulnerable cloud-based infrastructure.

The first of the two crypto-mining (also known as cryptojacking) attackers is Pacha Group, a threat group of Chinese origins profiled by Intezer Labs while pushing a cryptocurrency mining malware named Linux.GreedyAntd and first detected during September 2018.

At the time, Intezer Labs’ researchers discovered that the group’s Linux.GreedyAntd malware is designed to hunt down other cryptojacking malware already present on the systems it manages to infect, a technique previously used by similar malware strains [1, 2, 3]

To drop their cryptomining malware, Pacha Group “launch a brute-force attack against services like WordPress or PhpMyAdmin, or used a known exploit for an outdated version of alike services,” said Intezer Labs.

Cryptojacking malware under siege

Linux.GreedyAntd, a modular malware which uses Systemd gain persistence—unlike other strains which employ cron-job—to make itself harder to detect and remove is also used to attack and remove the cryptominers dropped by other cybercrime groups, with Rocke being the most prominent of them based on their extensive operations.

As Intezer Labs’ tech analysis says “The main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a distinguishable effort to detect and mitigate Rocke Group’s implants.”

The malware used by the Rocke group to surreptitiously mine for cryptocurrency in campaigns going as early as April 2018 also comes with a “kill list” which helps it find and shutdown any previously running cryptojacking malware.

On the other hand, Pacha Group has also added a list of hardcoded IP addresses to Linux.GreedyAntd’s blacklist which will block Rocke’s cryptominers by routing their traffic back to the compromised machines.

Both groups’ malware strains come with shared capabilities like the ability to search for and to disable cloud security and monitoring products from vendors such as Tencent Cloud and Alibaba Cloud, support for the Libprocesshider lightweight user-mode rootkit, as well as an exploit used to abuse an Atlassian vulnerability [1, 2, 3, 4].

Cloud infrastructure increasingly targeted

With both groups actively targeting cloud infrastructure to run their cryptojacking campaigns using cloud computing power, a clash was bound to happen during their struggle to be the ones abusing vulnerable systems for their own profit.

“We believe that these findings are relevant within the context of raising awareness about cloud-native threats, particularly on vulnerable Linux servers,” says Intezer Labs’ report. “While threat actor groups are competing with one another, this evidence may suggest that threats to cloud infrastructure are increasing.”

The report highlights Pacha Group’s efforts to target its main competitor, the Rocke group, in the race to compromise and get control of the largest possible share of the cloud.

As previously reported by BleepingComputer, various crypto-mining groups have been switching their targets to Docker and Kubernetes systems as part of a larger push to abuse cloud computing resources, a push going as far as March 2018 [1, 2, 3, 4, 5].

A list of Indicators of Compromise (IOCs) is provided by Intezer Labs at the end of their full technical analysis.