Asian cloud service providers have been targeted by a sophisticated malware campaign designed to steal computing power for mining cryptocurrency.
The attack techniques deployed by the CoinStomp malware include timestomping (modification of a file’s timestamp), removal of system cryptographic policies, and use of a reverse shell to initiate command and control communications with the malicious software.
"Timestomping has been used by the Rocke group in prior cryptojacking attacks," Matt Muir, a researcher for Cado Security, wrote at the company's website. "However, it’s not a technique commonly seen in the wild. Generally, this technique is employed as an anti-forensics measure to confuse investigators and foil remediation efforts."
Critical files are frequently changed by an attacker, explains Gal Lapid, a security researcher and developer at Cybellum.
"Many times, these files are inside folders with many files which were made at the same time, and once you have one file 'out of place' because it was recently altered, this can raise some red flags," he says. "So, attackers copy the timestamp of the other files inside the folder, and thus dodge detection."
Malware removes cryptographic policy files
Mike Parkin, an engineer with Vulcan Cyber, noted that several APT groups include timestamp manipulation in their toolkit. "While it may not rise to the level of common, it’s not an obscure technique," he says.
The malware also issues commands to remove cryptographic policy files on a system and even kill the cryptographic process. "Clearly, enforcement of cryptographic policies has a tangible effect on the deployment of malware," Muir wrote. "Additional payloads may be prevented from being downloaded and malicious applications could be prevented from running if they make use of insecure protocols—as, in the case of malware, they often do."
CoinStomp group sophisticated and knowledgeable of cloud
To issue commands and control the malware, a reverse shell is created using the /dev/tcp file on Linux systems. "Most Linux distributions support read/write operations to a remote host via the /dev/tcp device file," Muir explained. "Naturally, this is perfect for malware developers as it’s an easy and natively-supported method of creating a reverse shell or C2 communication channel."
"Since /dev/tcp is native to Linux and designed to communicate with other computers, an attacker can take advantage of this file and use it to look like common, expected network traffic, such as HTTP," adds Nasser Fattah, North America steering committee chair of Shared Assessments, a consortium of companies that provide tools and certifications for third-party risk management.
Muir maintained that CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space. "Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures, but also an understanding of the incident response process," he wrote.
“Keenly aware” of how detections are made on Linux
Using /dev/tcp to create a reverse shell for communication is also an advanced technique, Muir added. "C2 communication can often be noisy and easy to spot for monitoring tools but the use of port 443 helps make this traffic appear legitimate," he noted.
Ian McShane, field CTO at Arctic Wolf, found CoinStomp interesting because it’s a living-off-of-the-land attack that is unusual. "The use of the reverse shell and the ability to avoid common security controls tells me that they are keenly aware of the way that detections are made on Linux, and that they are able to target infrastructure that is not necessarily open to communication in from the internet," he says.
"CoinStomp’s operators are forward-thinking," adds Davis McCarthy, a principal security researcher at Valtix. "They are using techniques to stay ahead of the security controls they might encounter during their campaign."