The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.

Introduction

Execution flow

Initial access

Fileserver

RUDEDEVIL / LUCIFER

Thread Management in the Malware

Connecting to the Command-and-Control (C2) Server

Understanding the `ConnectServer` Function

Command-and-Control (C2) Commands

Variants of RUDEDEVIL Malware and XMRIG Configuration

GSOCKET

Post compromise dwell time

KAIJI malware: a comparison to previous samples

The saga continues

Custom built binaries

Additional reconnaissance 

Mining activities

**Understanding the `obteneruid` Function

Understanding the `enviardatos` Function

**Understanding the `hacerjugada` Function

Understanding the `completarbono` Function

Likely Used for Testing Purposes

REF6138 through MITRE ATT&CK

**Detecting REF6138**

Detection

Prevention

Hunting queries in Elastic

EQL queries

YARA

Defensive recommendations

Observations

References

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.

Setup note

T1037 - boot or logon initialization scripts: Init

T1037 - boot or logon initialization scripts: System V init

BEGIN INIT INFO

END INIT INFO

Persistence through T1037 - System V init

Hunting for T1037 - System V init

T1037 - boot or logon initialization scripts: Upstart

T1037.004 - boot or logon initialization scripts: run control (RC) scripts

Persistence through T1037.004 - run control (RC) scripts

Hunting for T1037.004 - run control (RC) scripts

T1037 - boot or logon initialization scripts: Message of the Day (MOTD)

Persistence through T1037 - message of the day (MOTD)

Hunting for T1037 - message of the day (MOTD)

T1546 - event triggered execution: udev

Persistence through T1546 - udev

Hunting for T1546 - udev

T1546.016 - event triggered execution: installer packages

T1546.016 - installer packages (APT)

Persistence through T1546.016 - installer packages (APT)

T1546.016 - installer packages (YUM)

Persistence through T1546.016 - Installer Packages (YUM)

T1546.016 - installer packages (DNF)

Persistence through T1546.016 - installer packages (DNF)

Hunting for persistence through T1546.016 - installer packages

T1546 - event triggered execution: Git 

T1546 - event triggered execution: Git hooks

T1546 - event triggered execution: git pager

Persistence through T1546 - Git

Hunting for persistence through T1546 - Git

T1548 - abuse elevation control mechanism: process capabilities

Persistence through T1548 - process capabilities

Hunting for persistence through T1548 - process capabilities

T1554 - compromise host software binary: hijacking system binaries

Persistence through T1554 - hijacking system binaries

Hunting for persistence through T1554 - hijacking system binaries

Conclusion

A walkthrough on how threat actors establish persistence on Linux systems and how to hunt for these techniques.

Linux Detection Engineering - A Sequel on Persistence Mechanisms

In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.

What is persistence?

Setup

T1053 - scheduled task/job

T1053.003 - scheduled task/job: Cron

Persistence through T1053.003 - cron

T1053.002 - scheduled task/job: at

Persistence through T1053.002 - At

T1053 - scheduled task/job: honorable mentions

Hunting for T1053 - scheduled task/job 

T1453 - create or modify system process (systemd)

T1453.002 - create or modify system process: systemd services

T1053.006 - scheduled task/job: systemd timers

T1453 - create or modify system process: systemd generators

Persistence through T1453/T1053 - systemd services, timers and generators

Hunting for T1053/T1453 - systemd services, timers and generators

T1546.004 - event triggered execution: Unix shell configuration modification

Persistence through T1546.004 - shell profile modification

Hunting for T1546.004 - shell configuration modification

T1547.013 - boot or logon autostart execution: XDG autostart entries

Persistence through T1547.013 - Cross-Desktop Group (XDG)

Hunting for T1547.013 - XDG autostart entries

T1548.001 - abuse elevation control mechanism: setuid and setgid

Persistence through T1548.001 - setuid and setgid

Hunting for T1548.001 - setuid and setgid

T1548.003 - abuse elevation control mechanism: sudo and sudo caching (sudoers file modification)

Persistence through T1548.003 - sudoers file modification

Hunting for T1548.003 - sudoers file modification

T1098/T1136 - account manipulation/creation

T1136.001 - create account: local account

T1098 - account manipulation: user credential modification

T1098 - account manipulation: direct /etc/passwd file modification

T1136.001 - create account: backdoor user creation

T1098 - account manipulation: user added to privileged group

Persistence through T1098/T1136 - account manipulation/creation

Hunting for T1098/T1136 - account manipulation/creation

T1098.004 - account manipulation: SSH

Persistence through T1098.004 - SSH modification

Hunting for T1098.004 - SSH modification

T1059.004 - command and scripting interpreter: bind shells

Persistence through T1059.004 - bind shells

Hunting for T1059.004 - bind shells

T1059.004 - command and scripting interpreter: reverse shells

Linux Detection Engineering - A primer on persistence mechanisms

In this article, learn more about using Auditd and Auditd Manager for detection engineering.

Introduction to Auditd

Auditd setup

Auditd rules

Control type rules

File System Rules

System call rules

Introduction to Auditd Manager and setup

Auditd rule file troubleshooting

Analyzing Auditd Manager events

Auditd Manager detection rule examples

Potential reverse shell via UDP

Potential Meterpreter reverse shell

Linux FTP/RDP brute force attack detected

Network connection from binary with RWX memory region

Linux detection engineering with Auditd

This research reveals insights into some of the large-scale malware analysis performed by Elastic Security Labs, and complements research related to the Detonate framework.

Author

Ruben Groenewoud

Articles

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

Linux Detection Engineering - A Sequel on Persistence Mechanisms

Linux Detection Engineering - A primer on persistence mechanisms

Linux detection engineering with Auditd

An Elastic approach to large-scale dynamic malware analysis