Meet CoinStomp: New cryptojacking malware targets Asian cloud service providers

Shell scripts are being used to exploit cloud instances.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered a new malware family targeting cloud services to mine cryptocurrency.

Dubbed CoinStomp, the malware is compromised of shell scripts that "attempt to exploit cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrency," according to Cado Security. 

The firm's researchers say that the overall purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency, a form of attack known as cryptojacking. 

A number of attack attempts have been focused, so far, on cloud service providers in Asia. 

Clues in code also referenced Xanthe, a cryptojacking threat group recently tied to the Abcbot botnet. However, the clue -- found in a defunct payload URL -- is not enough to firmly establish who is responsible for CoinStomp and may have been included in "an attempt to foil attribution," according to the team. 

CoinStomp has a number of interesting capabilities. One is its reliance on "timestomping" -- the manipulation of timestamps by running the touch -- command on Linux systems to update file modification and access times. 

"It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display the copied versions of these binaries as being last accessed (executed) at the timestamp used in the touch command," Cado Security noted. 

In addition, the malware will attempt to tamper with Linux server cryptographic policies. These policies can prevent malicious executables from being dropped or executed, and so CoinStomp's developer has included features to disable system-wide cryptographic policies through a kill command. 

"This could undo attempts to harden the target machine by administrators, ensuring that the malware achieves its objectives," the researchers say.

CoinStomp will then establish a connection to its command-and-control (C2) server via a reverse shell. The script then downloads and executes further payloads as system-wide systemd services, complete with root privileges. 

These include binaries to potentially create backdoors and a custom version of XMRig, legitimate Monero mining software abused for criminal purposes. 

"CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space," Cado Security says. "Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures but also an understanding of the incident response process."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards