Researchers have discovered a new attack campaign that compromises Jupyter Notebook instances and deploys cryptojacking malware. The operation uses Discord for command and control and steals AWS and Google Cloud credentials from compromised servers.
“Qubitstrike is a relatively sophisticated malware campaign, spearheaded by attackers with a particular focus on exploitation of cloud services,” researchers from cloud forensics and incident response firm Cado Security said in a report. “Jupyter Notebooks are commonly deployed in cloud environments, with providers such as Google and AWS offering them as managed services.”
Jupyter Notebook is a web-based interactive computing platform that supports over 40 programming languages and is used for data visualization, machine learning, data transformations, numerical simulations, statistical modeling, and managing various other computational outputs. It is an open-source application that can be deployed on servers and has been used as an entry-point for other cloud-based attack campaigns over the past year because it exposes powerful features including command execution.
Cado observed the Qubitstrike attackers connecting to their purposely unprotected Jupyter Notebook honeypot and leveraging the terminal access feature to open a Bash command line interface and manually executing a series of reconnaissance commands to determine the system’s CPU information, the currently logged in user, whether root access was available via the su command and if the curl tool was installed.
This first stage culminates with the execution of a base64-encoded command that uses curl to download a Bash script called mi.sh from an account on codeberg.org, a Git hosting platform that’s similar to GitHub. The script is saved to a temporary folder, then executed and eventually removed.
Qubitstrike malware set up for persistence
The mi.sh script sets up the system for deployment of additional tools, specifically a version of the XMRig cryptocurrency mining program. First, the script renames the curl and wget utilities in the system to avoid triggering system detections by using them. It also scans running processes for the presence of competing cryptominers and kills them, and it kills connections to a hard-coded list of IP addresses associated with cryptomining operations.
The script also deletes various system logs and will set up persistence on the system by registering several cron jobs and adding the attacker’s SSH key to the system. More importantly, it downloads and deploys a rootkit called Diamorphine. This rootkit operates as a kernel module that’s loaded with the insmod command and its purpose is to hide the attacker’s processes on the system.
If the insmod command fails, the attackers compile Diamorphine from source as a Linux Shared Object file and then use the LD Preload technique to register it with the dynamic linker, resulting in the malicious file executing every time a new executable is launched on the system.
“Diamorphine is well-known in Linux malware circles, with the rootkit being observed in campaigns from TeamTNT and, more recently, Kiss-a-dog,” the Cado researchers said. “Compiling the malware on delivery is common and is used to evade EDRs and other detection mechanisms.”
Finally, the mi.sh script searches the local directories for AWS and Google Cloud access tokens and exfiltrates any that are found to a Telegram group. The Cado researchers intentionally placed an AWS token on their honeypot system and immediately saw an attempt to use it to access the associated AWS account. Qubitstrike also acts like a SSH work, with the script trying to connect to all the IP addresses listed in the SSH hosts file on the system and attempting to push mi.sh to them.
More implants found in Codeberg repository
By investigating the Codeberg repository that hosted the mi.sh script, the researchers uncovered additional scripts and payloads including an implant written in Python and called kdfs.py. Once executed on a system, this implant will act as a bot that will join a Discord server and channel and wait for commands. It also supports downloading and uploading files through the Discord attachment feature.
“The name of the server used is ‘NETShadow,’ and the channel the bot posts to is ‘victims’,” the researchers said. “The server also had another channel titled ‘ssh.’ However, it was empty. All of the channels were made at the exact same time on September 2, 2023, suggesting that the creation process was automated. The bot’s username is Qubitstrike (hence the name we chose to give to the malware).”
The Cado researchers speculate that the kdfs.py might be executed on some systems first and then used to deploy mi.sh. However, on their honeypot system the kdfs.py bot was never deployed. While the end goal of the attack was to deploy an XMRig miner on the compromised systems, the attackers’ access is obviously not limited to that and they could pivot to other tactics as well.
“Cado urges readers with Jupyter Notebook deployments to review the security of the Jupyter servers themselves, paying particular attention to firewall and security group configurations,” the researchers said. “Ideally, the notebooks shouldn’t be exposed to the public internet. If you require them to be exposed, ensure that you have enabled authentication for them.”