CoinStomp cryptominer poses threats to Asian cloud service providers

February 24, 2022
CoinStomp Cryptominer Cyber Threat Asian Cloud Service Providers Cryptocurrency

A new malware strain called CoinStomp has been observed targeting several Asian cloud services to mine cryptocurrency.

The researchers detected multiple details regarding the CoinStomp Cryptominer’s tactics, techniques, and procedures (TTPs), disclosing that the malware has several capabilities, such as disabling system-based cryptographic policies, the use of C2 communication that initiated using a /dev/tcp reverse shell, and timestamping.

The timestamping ability of the CoinStomp manipulates the timestamps of a cloud service by operating the touch command on Linux systems. It utilises a natively-backed way of developing a command-and-control server or reverse shell communication channel.

Furthermore, researchers noticed evidence in code that referenced a crypto hijacking threat gang known as Xanthe. Unfortunately, there is no sustainable evidence to confirm the researchers’ claim.

 

According to researchers, the operators of CoinStomp attempted to tamper with the Linux server cryptographic policies to prevent forensic actions detecting or tracing their cryptominer.

 

The security providers designed the Linux server cryptographic policies to obstruct the operations of malicious executables. Because of this, the threat actors made a way to use the kill command in disabling the cryptographic policy before commencing malicious activities.

In addition, if the admin attempts to undo the threat actors’ actions, it will only ensure the malware’s success in invading the system.

The CoinStomp cryptominer develops a link to its command-and-control server by utilising a reverse shell for the next step. The script then executes and downloads additional system-wide services with admin root privileges.

The researchers claimed that the payloads deployed by the hackers might include binaries to develop a custom version of XMRig and new backdoors.

The threat actors discovered a way to remove cryptographic policies to prevent the activation of Linux security which implies that they are fully aware of the incident response capabilities of default security solutions.

This foresight also indicates that they have the knowledge and sophistication to counter any form of security, such as cloud securities, which makes them a considerable threat to security providers.

About the author

Leave a Reply