Hackers are scanning for internet-exposed Jupyter Notebooks to breach servers and deploy a cocktail of malware consisting of a Linux rootkit, crypto miners, and password-stealing scripts.
Jupyter Notebooks are open-source interactive computing environments for data analysis, machine learning, and scientific research. This platform was recently targeted by another malware named ‘PyLoose,’ also leading to XMRRig miner deployment in the underlying container.
In a new campaign called ‘Qubitstrike,’ the threat actors download malicious payloads to hijack a Linux server for cryptomining and to steal credentials for cloud services, such as AWS and Google Cloud.
As Cado Research reports today, the Qubitstrike malware payloads are hosted on codeberg.org, marking the first instance of this platform being abused for malware distribution.
Hijacking Linux with Qubitstrike
Qubitstrike attacks are believed to begin with a manual scan for exposed Jupyter Notebooks, followed by a CPU identification to evaluate its mining potential.
The attackers search for credential files they can steal and download and execute a script (‘mi.sh’) using a base64-encoded command.
The script is responsible for most of the malicious activity on a compromised Linux server, including the following:
- Download and run an XMRig miner disguised as “python-dev”
- Set up four cron jobs (apache2, apache2.2, netns, netns2) for the miner’s and script’s persistence
- Insert an attacker-controlled SSH key for persistent root access
- Install the ‘Diamorphine’ LKM (loadable kernel module) rootkit that helps hide specific processes from monitoring tools
- Steal credentials from the breached endpoint and spread via SSH
Cado reports that mi.sh also performs some attack-optimization steps using an additional component named “kthreadd,” such as detecting competing miners in the list of running processes and killing them and using the ‘netstat’ utility to shut connections to IPs flagged for cryptojacking.
To cover the attacker’s traces, data transfer utilities such as ‘curl’ and ‘wget’ are renamed, and log files containing evidence of the breach are wiped from the system using a custom function (‘log_f’).
The Qubitstrike scripts also install the open-source Diamorphine rootkit for Linux, which is used to hide the presence of any running scripts and malware payloads.
“Diamorphine is well-known in Linux malware circles, with the rootkit being observed in campaigns from TeamTNT and, more recently, Kiss-a-dog,” explains the Cado report.
“Compiling the malware on delivery is common and is used to evade EDRs and other detection mechanisms.”
Qubitstrike searches for credentials on the compromised endpoint and sends them back to its operators using the Telegram Bot API.
Specifically, the malware iterates through a list of 23 directories that usually host credentials for files named “credentials,” “cloud,” “kyber-env,” and others.
Any credentials found there are stored in a temporary file on “/tmp/creds,” sent to the Telegram bot, and eventually deleted.
Cado has found that the bot linked to the credentials exfiltration is linked to a private chat with a user named “z4r0u1.” Also, the researchers found that the attacker’s IP address places them in Tunisia, while the user agent shows the use of Kali Linux.
Using Discord as a C2
Examining the attacker’s repository on Codeberg revealed another script named ‘kdfs.py,’ which utilizes a Discord bot for command and control (C2) operations using a multi-obfuscated token.
The script can run as a standalone executable, messaging a hard-coded Discord channel to send host info and then waiting for commands to execute. The implant also abuses Discord for data exfiltration.
The embedded token exposed the attacker’s nickname, ‘BlackSUN,’ Discord server, ‘NETShadow,’ and the contained channels named ‘victims’ and ‘ssh,’ which leave little doubt about the nature of the space, created on September 2, 2023.
Although the kdfs.py implant was never deployed on Cado’s honeypots, the researchers suggest it’s a predecessor to the mi.sh script.