In an effort to gain greater control of vulnerable cloud-based infrastructure, two hacking groups behind large-scale cryptomining campaigns have begun to target each other's cryptominers.
The Pacha Group, first detected in September of 2018, is a threat group of Chinese origins which was profiled by Intezer Labs while trying to spread its cryptocurrency mining malware Linux.GreedyAntd.
The firm's researchers discovered the group's malware was designed to search for other cryptojacking malware present on the systems it infects though this technique has been used by similar malware strains in the past.
- How to protect yourself from cryptomining
- Mirai botnet returns to target IoT devices
- Your Android device could be affected by a crypto-mining botnet
The Linux.GreedyAnd modular malware used Systemd to gain persistence to make it harder to detect and remove. The malware is also used to attack and remove the cryptominers of other cybercrime groups but the Rocke Group is its main target.
Intezer Labs' Ignacio Sanmillan explained how Linux.GreedyAndt differs from previous malware released by the Pacha Group in a blog post, saying:
"The main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a distinguishable effort to detect and mitigate Rocke Group’s implants."
Pacha v Rocke
Rocke Group's crypomining malware also contains a “kill list” of its own which helps it find and shutdown any previously running cryptojacking malware.
Pacha Group has responded by adding a list of hardcoded IP addresses to Linux.GreedyAntd's blacklist that will block the competing criminal group's cryptominers by routing their traffic back to the compromised machines.
The malware strains of both groups come with shared capabilities such as the ability to search for and disable cloud security and monitoring products from Tencent Cloud and Alibaba Cloud, support for the Libprocesshider lightweight user-mode kit and an exploit used to abuse an Atlassian vulnerability.
Cloud infrastructure could face further threats according to Sanmillan, who explained:
"We believe that these findings are relevant within the context of raising awareness about cloud-native threats, particularly on vulnerable Linux servers. While threat actor groups are competing with one another, this evidence may suggest that threats to cloud infrastructure are increasing."
- We've also highlighted the best Linux distros