Color1337 is latest example of cryptojacking trend

24/04/2023
189

Mining cryptocurrency is not a new phenomenon, but it is a tactic that is clearly gaining popularity. According to research by Top10VPN, cryptojacking incidents increased to an average of 15.02 million per month in 2022, up from 8.09 million per month in 2021. This represents an 86% increase in one year.

The group of cybercriminals discovered by TEHTRIS in mid-January employs two different strategies to maximize access to the compromised Linux system. In the first way, if the machine has sufficient capacity (more than four cores), the diicot cryptominer is installed to use the CPU for cryptomining. In the other way, if the machine does not have the required capacity to mine cryptocurrencies, the attacker downloads the Update executable file and the system is used to gather information about possible other targets.

Discord

The attacker uses a Discord server to retrieve data from compromised machines. This is in line with a growing trend among cyber attackers to find security vulnerabilities through popular messaging apps.

By using an infected device to collect this type of information, the attacker can spread the exploration phase across multiple machines and IP addresses, making it difficult to trace the original source of the attack.

Ties to Romania

The group of attackers refers to themselves as ThePatron1337, with 1337 being a recurring factor in the attack. For these reasons, TEHTRIS named this campaign Color1337, considering 1337 as the cybercriminals' signature. It is the number of the port the group uses to collect data from the compromised machines, as well as the color code used for the messages on Discord.

Furthermore, the bash scripts analyzed contain commands in the Romanian language, indicating the origin of the actor who wrote the script. Thus, it is notable that DIICOT (the name of the miner first discovered in October 2022) is ironically also an abbreviation of a Romanian agency that investigates organized crime, cybercrime, financial crime and terrorism.

In addition to the coincidences linking the cyber attack to Romania, TEHTRIS experts have discovered certain similarities with the Romanian group behind a cryptojacking campaign detected by BitDefender in 2021. Since the "Update" script refers to a file with the same name, combined with the previously identified link to Romania, it could be that the same group is behind this attack and has updated its tools.

Recent

HubSpot launches first free tool for AI search optimisation

29% of European employees believe AI can be a better boss than a human

Zonneplan, Tibber and Budget Energie best dynamic energy suppliers according to Keuze.nl research

PQR wins HPE Award for Solution Provider in North West Europe

© Dutch Tech On Heels - 2024
Made with
Web Wings