Full Report
In July 2023, details of recent activities related to ScarletEel were published, showing the advancement of the attacker over time. The threat actors expanded their arsenal to include new tools and a C2 infrastructure, making it more difficult to detect their activity. They ty...
Analysis Summary
Based on the intelligence provided regarding the evolution of the **ScarletEel** threat actor group as of July 2023, here is the structured summary.
# Threat Actor: ScarletEel
## Attribution & Identity
* **Name:** ScarletEel
* **Actor Type:** Financially motivated advanced threat actor.
* **Associations:** While they exhibit sophisticated cloud-native exploitation capabilities, they are primarily associated with large-scale cryptomining and data exfiltration operations.
## Activity Summary
Recent activities in 2023 demonstrate a significant maturation of the group. Moving beyond simple automated scripts, ScarletEel has transitioned into a more persistent threat. Their operations now involve sophisticated multi-stage attacks targeting cloud environments (specifically AWS), moving laterally from containerized workloads to the underlying cloud infrastructure to steal proprietary data and compute resources.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of vulnerable public-facing web applications and services hosted on containers (e.g., Jupyter Notebooks).
* **Credential Access:** Harvesting AWS IAM credentials from the instance metadata service (IMDS).
* **Evasion:** Disabling security logging (AWS CloudTrail) and using sophisticated obfuscation for their scripts.
* **Lateral Movement:** Moving from compromised containers to the host and then across the AWS account using stolen IAM roles.
* **Exfiltration:** Utilizing specialized tools to exfiltrate large volumes of data (e.g., S3 bucket contents) to controlled infrastructure.
* **Resource Hijacking:** Deployment of high-performance cryptojacking malware.
## Targeting
* **Sectors:** Technology, Research, and Finance (industries heavily reliant on intensive cloud computing and containerized environments).
* **Geography:** Global (targeting any vulnerable cloud infrastructure regardless of region).
* **Victims:** Organizations utilizing AWS and container orchestration platforms with misconfigured or vulnerable public-facing services.
## Tools & Infrastructure
* **Malware/Tools:**
* **Peirates:** A penetration testing tool for Kubernetes.
* **Pacu:** An open-source exploitation framework for AWS.
* **Custom C2:** Newly developed Command and Control infrastructure to manage compromised assets.
* **Cryptominers:** High-performance XMRig variants.
* **Infrastructure:**
* Utilizes legitimate cloud services for hosting malicious payloads.
* C2 Infrastructure: [example]hxxp[://]45[.]9[.]148[.]xxx (Defanged)
* Data Exfiltration Points: [example]hxxp[://]transfer[.]sh (Defanged)
## Implications
ScarletEel represents a growing trend where "low-level" cryptojacking groups are evolving into "high-level" data thieves. Their ability to navigate complex cloud environments and bypass standard detection mechanisms indicates a strategic shift toward intellectual property theft. The speed at which they pivot from a container compromise to account-level takeover necessitates automated, real-time cloud security responses.
## Mitigations
* **IMDS Configuration:** Enforce the use of IMDSv2 and limit hop limits to prevent credential theft from containers.
* **Least Privilege:** Implement strict IAM policies (Least Privilege) to ensure compromised containers cannot access S3 buckets or administrative functions.
* **Runtime Security:** Deploy cloud-native detection and response (CDR) tools to monitor for unusual binary executions within containers.
* **Vulnerability Management:** Regularly patch and secure public-facing applications (e.g., Jupyter, Docker APIs) to prevent initial entry.
* **Logging:** Ensure AWS CloudTrail is enabled across all regions and monitored for "StopLogging" or "DeleteTrail" events.