Full Report
On 2023-03-15, a campaign was reported, involving an unknown actor, gaining initial access via Cloud native misconfig, while using Cloud compute cryptojacking, K8s anonymous auth abuse, targeting Kubernetes to achieve Resource hijacking. The following tools were observed: DERO miner.
Analysis Summary
# Tool/Technique: DERO Miner
## Overview
DERO Miner is a specific type of cryptocurrency mining malware observed being deployed by an unknown threat actor targeting Kubernetes environments for resource hijacking via cryptojacking activities.
## Technical Details
- Type: Malware (Cryptominer)
- Platform: Kubernetes/Cloud Compute Resources (Linux instances running pods)
- Capabilities: Utilizes compromised resources to mine DERO cryptocurrency.
- First Seen: Reported on 2023-03-15 (in the context of this specific campaign).
## MITRE ATT&CK Mapping
This is an aggregate mapping based on the observed techniques:
- **TA0011 - Command and Control** (Implied by malware beaconing/communication, though not explicitly detailed for the miner itself)
- T1071.001 - Application Layer Protocol: Web Protocols (If C2 or configuration downloads occur over HTTP/S)
- **TA0005 - Defense Evasion** (Often involved in hiding mining processes)
- **TA0007 - Discovery** (Implicit, required to establish the K8s environment context)
- **TA0010 - Impact**
- T1496 - Resource Hijacking
- T1496.002 - Cloud Instance: Cryptojacking
## Functionality
### Core Capabilities
- Executing CPU-intensive computations to mine DERO cryptocurrency.
- Establishing persistence or ensuring execution within compromised Kubernetes pods.
### Advanced Features
- Leveraging misconfigurations in Kubernetes (e.g., K8s anonymous auth abuse) to gain unauthorized access and deploy the mining payload.
- Focusing deployment specifically on cloud compute instances to maximize stolen processing power.
## Indicators of Compromise
- File Hashes: [Not available in the context provided]
- File Names: [Likely processes related to mining, e.g., `dero_miner`, or obfuscated names; Not available in the context provided]
- Registry Keys: [Not applicable for typical Linux/Container execution]
- Network Indicators: [Specific C2/Pool addresses not detailed; deployment likely connects to a DERO mining pool]
- Behavioral Indicators: Excessive, sustained high CPU utilization within Kubernetes pods, outbound connections to known mining pools.
## Associated Threat Actors
- Unknown actor (Reported March 2023).
## Detection Methods
- Signature-based detection: Signatures for the DERO executable (if available).
- Behavioral detection: Monitoring for sudden, uncharacteristic 100% CPU load in legitimate application containers/pods, or outbound network connections to known mining pools.
- YARA rules: [Not available in the context provided]
## Mitigation Strategies
- **Prevention measures**: Implement strong Kubernetes RBAC policies to prevent unauthorized access.
- **Hardening recommendations**: Disable anonymous authentication in K8s API servers unless strictly necessary. Utilize Pod Security Standards (or Admission Controllers) to restrict execution capabilities and resource requests/limits for containers, preventing runaway resource consumption. Strictly vet and limit images pulled into the cluster.
## Related Tools/Techniques
- Techniques observed: Cloud native misconfig, Cloud compute cryptojacking, K8s anonymous auth abuse.
- Similar Tools: Other common cryptomining malware like XMRig.