Cryptomining gangs go to war over unsecured Linux systems

Image credit: Pixabay

In an effort to gain greater control of vulnerable cloud-based infrastructure, two hacking groups behind large-scale cryptomining campaigns have begun to target each other's cryptominers.

The Pacha Group, first detected in September of 2018, is a threat group of Chinese origins which was profiled by Intezer Labs while trying to spread its cryptocurrency mining malware Linux.GreedyAntd.

The firm's researchers discovered the group's malware was designed to search for other cryptojacking malware present on the systems it infects though this technique has been used by similar malware strains in the past.

The Linux.GreedyAnd modular malware used Systemd to gain persistence to make it harder to detect and remove. The malware is also used to attack and remove the cryptominers of other cybercrime groups but the Rocke Group is its main target.

Intezer Labs' Ignacio Sanmillan explained how Linux.GreedyAndt differs from previous malware released by the Pacha Group in a blog post, saying:

"The main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a distinguishable effort to detect and mitigate Rocke Group’s implants."

Pacha v Rocke

Rocke Group's crypomining malware also contains a “kill list” of its own which helps it find and shutdown any previously running cryptojacking malware.

Pacha Group has responded by adding a list of hardcoded IP addresses to Linux.GreedyAntd's blacklist that will block the competing criminal group's cryptominers by routing their traffic back to the compromised machines.

The malware strains of both groups come with shared capabilities such as the ability to search for and disable cloud security and monitoring products from Tencent Cloud and Alibaba Cloud, support for the Libprocesshider lightweight user-mode kit and an exploit used to abuse an Atlassian vulnerability.

Cloud infrastructure could face further threats according to Sanmillan, who explained:

"We believe that these findings are relevant within the context of raising awareness about cloud-native threats, particularly on vulnerable Linux servers. While threat actor groups are competing with one another, this evidence may suggest that threats to cloud infrastructure are increasing." 

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.