Jupyter Notebooks exposed to the internet are being targeted by a new crypto jacking campaign called Qubit Strike, which Cado Security Labs discovered.
The campaign uses Discord’s bot functionality to create a sophisticated command and control (C2) infrastructure, allowing attackers to manage and monitor the infected nodes and their mining activity.
Codeberg as a Hosting Platform
One of the notable aspects of Qubit Strike is that it uses Codeberg, an emerging alternative to GitHub, as a hosting platform for its malicious code.
This is the first time that Codeberg has been observed in an active malware campaign, which could make it an attractive option for malware developers.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Cado Security Labs continues to monitor the campaign for any emerging trends. The malware was first detected on Cado’s high-interaction Jupyter honeypot.
A Tunisian IP address connected to the honeypot instance and manually executed several commands to compromise the system.
This indicates that the operator deliberately targeted the honeypot, possibly using tools like Shodan to find it.
The Heart of Qubitstrike:
The main component of Qubitstrike is a shell script called mi.sh, which performs multiple critical functions:
- Downloading and running the XMRig miner for cryptocurrency mining.
- Setting up cron-based persistence and adding an attacker-controlled SSH key.
- Installing the Diamorphine rootkit.
- Stealing credentials from the host.
- Spreading the malware via SSH to related hosts.
Preparation and Evasion:
mi.sh begins by preparing the system and renaming binaries of data transfer utilities like curl and wget to avoid detection. This evasion tactic is to ensure that these utilities don’t trigger any security alerts or interfere with the malware’s operation.
A distinctive feature of Qubitstrike is its ability to search for credential files, especially those related to AWS and Google Cloud. These credentials are stolen via the Telegram Bot API, showing the attackers’ interest in Cloud Service Provider credentials.
Discord as Command and Control:
Qubitstrike uses Discord as its command and control (C2) platform, a common choice among malware authors due to its simplicity and popularity. However, the attackers take measures to hide their intentions by encoding the Discord token within the script.
Like other crypto-jacking campaigns, Qubitstrike tries to propagate through SSH connections, using known_hosts files to spread the malware to related hosts. This allows the malware to leverage the collective processing power for cryptocurrency mining.
Qubitstrike deploys the Diamorphine Linux Kernel Module (LKM) rootkit, designed to hide malicious processes. The rootkit is delivered in an encoded form, decoded, and installed on the host, making it more difficult to detect.
Besides C2, Discord serves as a platform for data exfiltration in Qubitstrike. Files can be uploaded and downloaded through Discord attachments, providing another layer of concealment for the attackers.
Qubitstrike poses a multi-faceted threat, using Discord for command and control and data exfiltration while targeting Cloud Service Provider credentials.
The malware’s evasion techniques and choice of hosting platform make it an intriguing and potentially growing concern in the cybersecurity landscape.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.