A threat actor, presumably from Tunisia, has been linked to a new campaign targeting exposed Jupyter Notebooks in a two-fold attempt to illicitly mine cryptocurrency and breach cloud environments.
Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise.
“The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub,” security researchers Matt Muir and Nate Bill said in a Wednesday write-up.
In the attack chain documented by the cloud security firm, publicly accessible Jupyter instances are breached to execute commands to retrieve a shell script (mi.sh) hosted on Codeberg.
The shell script, which acts as the primary payload, is responsible for executing a cryptocurrency miner, establishing persistence by means of a cron job, inserting an attacker-controlled key to the .ssh/authorized_keys file for remote access, and propagating the malware to other hosts via SSH.
The malware is also capable of retrieving and installing the Diamorphine rootkit to conceal malicious processes as well as transmitting the captured Amazon Web Services (AWS) and Google Cloud credentials back to the attacker through the Telegram bot API.
One noteworthy aspect of the attacks is the renaming of legitimate data transfer utilities such as curl and wget in a likely attempt to evade detection and prevent other users in the system from using the tools.
“mi.sh will also iterate through a hardcoded list of process names and attempt to kill the associated processes,” the researchers said. “This is likely to thwart any mining operations by competitors who may have previously compromised the system.”
The shell script is further designed to leverage the netstat command and a hard-coded list of IP/port pairs, previously associated with cryptojacking campaigns, to kill any existing network connections to those IP addresses.
Also taken are steps to delete various Linux log files (e.g., /var/log/secure and /var/log/wtmp), in what’s another sign that Qubitstrike actors are looking to fly under the radar.
The exact origins of the threat actor remain unclear, although evidence points to it likely being Tunisia owing to the IP address used to login to the cloud honeypot using the stolen credentials.
A closer examination of the Codeberg repository has also revealed a Python implant (kdfs.py) that’s engineered to be executed on infected hosts, with Discord acting as a command-and-control (C2) mechanism to upload and download from and to the machine.
The connection between mi.sh and kdfs.py remains unknown as yet, although it’s suspected that the Python backdoor facilitates the deployment of the shell script. It also appears that mi.sh can be delivered as a standalone malware without relying on kdfs.py.
“Qubitstrike is a relatively sophisticated malware campaign, spearheaded by attackers with a particular focus on exploitation of cloud services,” the researchers said.
“Of course, the primary objective of Qubitstrike appears to be resource hijacking for the purpose of mining the XMRig cryptocurrency. Despite this, analysis of the Discord C2 infrastructure shows that, in reality, any conceivable attack could be carried out by the operators after gaining access to these vulnerable hosts.”