But wait, there’s more
On Friday, Datadog revealed that MUT-1244 employed additional means for installing its second-stage malware. One was through a collection of at least 49 malicious entries posted to GitHub that contained Trojanized proof-of-concept exploits for security vulnerabilities. These packages help malicious and benevolent security personnel better understand the extent of vulnerabilities, including how they can be exploited or patched in real-life environments.
New Vectors for Spread
A second major vector for spreading @0xengine/xmlrpc was through phishing emails. Datadog discovered MUT-1244 had left a phishing template, accompanied by 2,758 email addresses scraped from arXiv, a site frequented by professional and academic researchers.
A Phishing Email Campaign
The email, directed to people who develop or research software for high-performance computing, encouraged them to install a CPU microcode update available that would significantly improve performance. Datadog later determined that the emails had been sent from October 5 through October 21.
Additional Vectors
Further adding to the impression of legitimacy, several of the malicious packages are automatically included in legitimate sources, such as Feedly Threat Intelligence and Vulnmon. These sites included the malicious packages in proof-of-concept repositories for the vulnerabilities the packages claimed to exploit.
Stealing Credentials
The attackers’ use of @0xengine/xmlrpc allowed them to steal some 390,000 credentials from infected machines. Datadog has determined the credentials were for use in logging into administrative accounts for websites that run the WordPress content management system.
Conclusion
Taken together, the many facets of the campaign—its longevity, its precision, the professional quality of the backdoor, and its multiple infection vectors—indicate that MUT-1244 was a skilled and determined threat actor. The group did, however, err by leaving the phishing email template and addresses in a publicly available account.
Frequently Asked Questions
Q: What is the purpose of the campaign?
A: The purpose of the campaign is unclear, as the ultimate motives of the attackers remain unknown.
Q: Who was targeted by the campaign?
A: The campaign targeted people who develop or research software for high-performance computing, as well as researchers.
Q: How many credentials were stolen?
A: The attackers stole approximately 390,000 credentials from infected machines.
Q: What are the indicators of compromise (IOCs) provided by Datadog and Checkmarx?
A: The IOCs include indicators that can be used to check if someone has been targeted by the campaign.
