Screenshot of a graph tracking mining activity.
Credit: Checkmarx
But wait, there's more
On Friday, Datadog revealed that MUT-1244 used additional resources to install the second-stage malware. One of these was through a collection of at least 49 malicious entries posted to GitHub containing Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the scope of the vulnerabilities, including how they can be exploited or patched in real environments.
A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered that MUT-1244 left behind a phishing template accompanied by 2,758 email addresses sourced from arXiv, a site frequented by professional and academic researchers.
A phishing email used in the campaign.
Credit: Datadog
The email, addressed to people developing or researching high-performance computing software, encouraged them to install a CPU microcode update that would significantly improve performance. Datadog later determined that the emails were sent between October 5 and October 21.
Additional vectors discovered by Datadog.
Credit: Datadog
What further increases the impression of legitimacy is that several malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites placed the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.
“This increases their appearance of legitimacy and the likelihood that someone will lead them,” Datadog said.
Using @0xengine/xmlrpc, the attackers were able to steal around 390,000 credentials from infected machines. Datadog determined that the credentials were intended to log into administrator accounts for websites running the WordPress content management system.
Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its many infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. However, the group made a mistake by leaving the phishing email template and addresses in a publicly available account.
The attackers' ultimate motives remain unclear. If the goal were to mine cryptocurrency, there would likely be better populations than the security personnel to target. And if the goal was to target researchers – as other recently discovered campaigns have done – it is unclear why MUT-1244 would also use cryptocurrency mining, an activity that is often easy to detect.
Reports from both Checkmarx and Datadog include indicators that people can use to check if they have been targeted.
