Full Report
Learn how the threat actors behind the 2023 DERO cryptojacking campaign have adapted their techniques to evade detection, and the best practices for mitigation.
Analysis Summary
# Tool/Technique: DERO Miner (Variant)
## Overview
A cryptojacking payload discovered as part of an ongoing campaign targeting misconfigured Kubernetes clusters. The miner executable, named "pause," is UPX-packed and hard-coded with wallet and pool information, suggesting a defense evasion and direct funding mechanism.
## Technical Details
- Type: Malware (Cryptominer)
- Platform: Linux (amd64), potentially other platforms based on provided hash list (including `arm` and `Windows` variants).
- Capabilities: Cryptocurrency mining (DERO coin), execution via containerized workloads, evasion via packing, hard-coded mining configuration for silent operation.
- First Seen: Early stages documented March 2023; this analysis covers updated variants.
## MITRE ATT&CK Mapping
- [T1190 - Exploit Public-Facing Application]
- [T1610 - Deploy Container]
- [T1036.005 - Masquerading: Match Legitimate Name or Location]
- [T1027.002 - Obfuscated Files or Information: Software Packing]
- [T1496 - Resource Hijacking]
- [T1105 - Ingress Tool Transfer]
- [T1070 - Indicator Removal]
- [T1564.011 - Hide Artifacts: Ignore Process Interrupts]
- [T1583.001 - Acquire Infrastructure: Domains]
- [T1140 - Deobfuscate/Decode Files or Information]
## Functionality
### Core Capabilities
- **Cryptocurrency Mining:** Executes the DERO miner to hijack system resources for mining profitability.
- **Hard-Coded Configuration:** Wallet and pool details are embedded directly into the executable, removing the need for command-line flags during execution (likely for defense evasion).
- **Execution via Containers:** Deployed within malicious Docker images hosted on Docker Hub, leveraged through Kubernetes deployments and daemonsets.
### Advanced Features
- **Software Packing:** The miner binary is packed using UPX to obfuscate its nature and evade static analysis.
- **Masquerading:** The miner binary is named "pause," mimicking the legitimate, minimal container bootstrap binary used in Kubernetes pods. Container deployments also use benign-sounding names (`_k8s-device-plugin_`, `_pytorch-container_`) and target control plane namespaces to blend in.
- **Propagation:** Utilizes misconfigured Kubernetes clusters to spread its containerized workloads.
## Indicators of Compromise
- File Hashes:
- SHA256: `49e8422e5f273a564c15755711ab2a35a1deb2105bbe1a0a8ce670c9b38721e5` (Linux - amd64)
- SHA256: `ad2ee0040f88a9001a32f945ce15de2dd1126c0f9f6cb626f2de0163792d8ff7` (Linux - amd64)
- SHA256: `649a6fa70b26e5382652808348522b5e7f43f2f77a1b10a4cc5e5bfd5cb80327` (Linux - amd64)
- SHA256: `06d080c816f099cccab56e4b596128e73cd63f524bdc2ddf5dd78c26f409f219` (Linux - amd64)
- SHA256: `561790bd60258e056c72755bbaf848cfe5c3af548882c6a6579a599192bce3d2` (Linux - amd64)
- SHA256: `e1de787777faba85dcca4e10d945553aefdba14b1995cca7cf0721ee571c7e96` (Linux dropper (ddns.sh))
- SHA256: `d6b14a4fbe5b9adbc0094098b4690ba5f5426247e21474915c408ca4553fcd49` (Linux – arm)
- SHA256: `9131aac1df4b3a610f5fe69c55fdc19f07055648c0081e61536eb903e0914dc2` (Windows)
- File Names: "pause" (miner executable)
- Network Indicators: (None explicitly provided in the summary, but related to C2/pool information hard-coded within the miner.)
- Behavioral Indicators: Execution of container images from Docker Hub; deployment via Kubernetes Deployments/DaemonSets in sensitive namespaces like `kube-public` and `kube-system`; execution of a shell script named `ddns.sh` (associated with a dropper).
## Associated Threat Actors
- Unspecified threat actor actively maintaining and updating this cryptojacking campaign.
## Detection Methods
- Signature-based detection: Signatures against the known UPX-packed DERO miner hashes or strings related to DERO mining configuration.
- Behavioral detection: Monitoring for the deployment of non-standard containers (especially those named "pause" or with suspicious image sources like Docker Hub) into Kubernetes environments, particularly when associated T1610 activity occurs following T1190.
- YARA rules: Can be developed targeting the UPX packing signature or specific code segments of the DERO miner.
## Mitigation Strategies
- **Hardening Kubernetes:** Strictly enforce Role-Based Access Control (RBAC) policies to restrict anonymous access (`system:anonymous`) to meaningful permissions.
- **Pod Security Standards:** Implement strict Pod Security Standards or Admission Controllers to prevent deployment of containers based on untrusted or public registries (e.g., Docker Hub) or to prevent execution of processes with known miner names/patterns.
- **Network Segmentation:** Limit outbound network access from application pods to only required destinations to prevent miners from communicating with mining pools.
- **Image Scanning:** Implement continuous scanning of container images hosted in registries to detect known packing or malware payloads before deployment.
## Related Tools/Techniques
- DERO Miner (Original implementation)
- UPX (Software Packer)
- Kubernetes API Exploitation (Initial Access Vector)