Pacha Group is a crypto-mining threat actor we at Intezer discovered and profiled in a blog post published on February 28, 2019. This threat actor targeted Linux servers dating back to September 2018 and implemented advanced evasion and persistence techniques.
We have continued to monitor this threat actor and new findings show that Pacha Group is also targeting cloud-based environments and conducting great efforts to disrupt other crypto-mining groups, namely Rocke Group who is also known to target cloud environments.
We believe that these findings are relevant within the context of bringing awareness about cloud-native threats and our research may imply that cloud environments are increasingly becoming a common target for adversaries.
In monitoring Pacha Group we have identified new, undetected Linux.GreedyAntd variants that share code with previous variants.
Despite sharing nearly 30% of code with previous variants, detection rates of the new Pacha Group variants are low:
The main malware infrastructure appears to be identical to previous Pacha Group campaigns, although there is a distinguishable effort to detect and mitigate Rocke Group’s implants. Rocke Group was first reported by Cisco Talos researchers and has deployed sophisticated crypto-mining campaigns in Linux servers and cloud-based environments as reported by Palo Alto Unit 42. The following image is a blacklist of miners in which Linux.GreedyAntd searches to eradicate. We have recognized several file names in this blacklist known to be used for Rocke Group’s implants:
Furthermore, there are other strings within this file path blacklist which are used to search for and disable cloud protection solutions, such as Alibaba Server Guard Agent. Strings of malware implants known to have abused the Atlassian vulnerability were also found. Rocke Group is known to hunt for similar security products and to have abused the same vulnerability.
Another interesting update in Pacha Group’s infrastructure in comparison to previous campaigns is that further implants would only be able to be downloaded from Pacha Group’s servers if the HTTP GET request was completed with a specific User-Agent. In the following screenshot we can see how files can not be downloaded unless the correct User-Agent is used:
In addition, Pacha Group’s component update seems to include a lightweight user-mode rootkit known as Libprocesshider, which is an open source project hosted on GitHub and has also been used by Rocke Group.
The malware updates /etc/ld.preload to include the path of the dropped library masquerading libconv.so, a unicode conversion library.
This shared object will export customized versions of readdir and readdir64 functions that will attempt to hide a process name from /proc filesystem of one of the main components of the malware’s infrastructure, in charge to download further implants in intervals along with enforcing process, file path and IP blacklisting:
Along with process and file path blacklisting measures seen in previous variants, we also observed that newer variants implement IP blacklisting using an interesting technique.
Right after process and file path black listing has been accomplished, we find the following code:
Each of the IPs in the blacklist IP table is decoded and then added to the system routing table with host scope via ioctl.
This is more conveniently shown by observing the following system call trace:
When we check the routing table of a compromised system we see the following:
Each of the decoded IPs have been added to the routing table with host scope. This implies that when any of these IPs will be requested, each request will be routed back to the host to be resolved instead of redirecting them to the gateway, causing a failure in the routing process.
In the following screenshot we can see the effect of this methodology by using the ping utility:
After analyzing the IP blacklist we discovered that some of these IPs, even though they may not necessarily be malicious, are known to have been used by Rocke Group in the past. As an example, systemten.org is in this blacklist and it is known that Rocke Group has used this domain for their crypto-mining operations. The following are some domains that correspond to their hardcoded IPs in Linux.GreedyAntd’s blacklist that have Rocke Group correlations:
We have presented evidence that Pacha Group is targeting cloud-based environments and being especially aggressive towards Rocke Group. We have based this conclusion on the process blacklist used by Pacha Group and the newly added IP blacklist which contains Rocke Group correlated artifacts.
We have also provided a YARA rule in order to detect Pacha Group’s Linux.GreedyAntd implants based on reused code among the implants.
For additional recommendations on how to mitigate this threat, please refer to our non-technical blog post on this subject: http://intezer.com/blog-competition-for-cryptocurrency-mining-foothold-on-the-cloud.
Cloud infrastructure is quickly becoming a common target for threat actors, particularly on vulnerable Linux servers. Unfortunately the detection rates of Linux-based malware remain low and the security community needs more awareness in order to more effectively mitigate these threats.
GreedyAntd Embedded IP Blacklist
The following are IPs that the Pacha Group attempts to block to prevent operation of other crypto-mining implants (notice not to block these IPs. See the IPs to block in the above IOCs section):