During our daily threat hunting activities in our 4000+ customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.

Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?

To learn more about Project Ice Cream, read the series’ introductory blog here.

Introducing Chocolate

Threat Activity Cluster Chocolate

When you understand an adversary, you can give them a name. We have called this adversary flavor Chocolate, a threat activity cluster using botnets to compromise vulnerable servers. It then adds the newly compromised machines to their existing botnets to mount further attacks while hijacking the CPU to mine Monero cryptocurrency.

All shared indicators, mitigations, and detection recommendations are at the end of this blog.

The Origin of Chocolate

We have observed this flavor intermittently in our customer base since early 2021. Chocolate was observed successfully exploiting Oracle WebLogic and Apache Tomcat servers. Our hunters and researchers collected the scripts and malware samples used in this compromise, where they were then reverse engineered to create signatures around the botnet and crypto-mining configuration payloads. This created hunting telemetry that triggered on stable artifacts within the scripts.

This was the start of our Chocolate threat activity cluster. Since the initial compromise, the group has matured from appearing intermittently in our dataset and exploiting dated or simpler vulnerabilities (such as Jenkins brute force attacks) to a more active threat who employ sophisticated tactics.

The initial clustering proved effective in detecting Chocolate’s actions when the group shifted toward timely capitalization of emerging threat exploits.

This was evident in Chocolate’s recent campaign centered around the 2022 Atlassian Confluence Zero-Day Vulnerability, where the flavor had greater success by compromising machines before IT admins mitigated in their next patch cycle.

Capabilities

External actors continue to be the biggest cause of breaches. The best way for an external actor to gain full control of a vulnerable machine is to find a remote code execution (RCE) exploit that requires little-to-no prerequisites for exploitations, such as authenticated access or knowledge of the target’s configuration. Chocolate favors these types-of exploits; we have identified successful exploitation of the following:

  • Atlassian Confluence – CVE-2022-26134
  • Laravel – CVE-2021-3129
  • Apache Struts – CVE-2017-5638
  • PHP Unit – CVE-2017-9841
  • Think PHP CVE-2018-20062
  • Mongo Express – CVE-2019-10758
  • Supervisor XML-RPC – CVE-2017-11610
  • SaltStack – CVE-2020-16846
  • Drupal – CVE-2018-7600
  • Hadoop YARN ResourceManager Unauthenticated Application Creation
  • Mongo Express RCE

Once Chocolate gains entry, the victim is instructed via wget, curl, or powershell to pull a dropper script (LDR.sh or LDR.ps1) from the attacker-owned server to establish control. When remote access is achieved, the script proceeds to create a backdoor as well as scheduled tasks (Windows) and Cron jobs (linux) that will re-establish access should the backdoor be removed, before pulling configuration files for their immediate actions on objectives.

Our Threat Intelligence team created content around the files and scripts used in the installation phase. Normally, the user agent is an excellent trigger for detection, as it is relatively unique and consistent. This was not true with Chocolate which employed a custom user agent that varied ased on the current date and time, making it too unstable for reliable detections. Therefore, our Threat Intelligence focused telemetry on script variables, URI, filenames (which are unusually consistent with this actor), and mining pools.

Filenames

  • sh
  • ps1

Constant variables in the dropper scripts

  • Cc
  • xmr
  • sys

Mining pools

  • xmr-eu1[.]nanopool[.]org|14444
  • f2pool[.]com|13531
  • minexmr[.]com|5555
  • xmr-eu1[.]nanopool[.]org
  • f2pool[.]com
  • minexmr[.]com

Actions on Objectives

Chocolate’s initial objective is cryptomining, achieved by deploying XMRIG Monero miners to hijack the target’s resources and monetizing the compromise. Mining, however, is not the group’s only objective.

When is a miner not just a miner? When it is also a botnet.

Infected systems are added to Chocolate’s botnet(s) and are used to compromise further systems by attacking random public IP addresses. These indiscriminate, spray-and-pray tactics are suited to a botnet; as Chocolate uses the infrastructure of others, they are not concerned about attribution or perimeter IP blocks.

Machines in a botnet often are referred to as zombies and Chocolate provide a perfect example. The zombie machines relentlessly attack from all locations, infecting those they can join to the zombie mining botnet, who in turn mount their own attacks and join the horde, mining and attacking simultaneously.

Fortunately, understanding the adversary is the vaccine.

Chocolate Infrastructure

This section focuses on infrastructure outside of the botnet, as the active botnet IPs is continuously changing.

Chocolate’s infrastructure is varied, geolocating to the United States, Thailand, France, and the UAE, demonstrating our regular assertion that geolocation of IP addresses is not a good indicator for attribution. Infrastructure observed often originates from minor cloud services or “boxes for hire,” suggesting a lack of dedicated infrastructure which aligns with their botnet tactics.

The group uses multiple mining pools for check in. However, singular addresses tend to be used at specific stages, making the IPs good candidates for hunting, although not entirely static and have been refreshed during the two years of clustering.

Flavor Specific Mitigations

Following are mitigation actions to take to prevent, detect, or respond to Chocolate tactics and techniques. Alert Logic customers can use our console to assist with elements of prevention and response. Many detections and response actions listed will be enabled or performed by Alert Logic as part of our MDR service.

Prevention

  • Update software — Ensure systems are patched with regular software updates to mitigate exploitation risk.
  • User account hardening — Where possible, ensure multifactor authentication is in place and appropriate password/lockout policies are enforced.
  • Privileged account management — Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. Accounts only should be given the privileges needed to complete its task, with all other privileges disabled.
  • Local file permissions — Restrict access to local files and directories by configuring operating system functionality.
  • Web application firewalls — Appropriate WAF policies can limit exposure of applications and prevent exploit traffic from reaching the application.
  • Endpoint protection tools — Prevent suspicious and malicious behavior patterns from occurring on endpoint systems. Be aware that threat groups are known to employ tactics that may circumvent or disable such preventive controls.
  • Network segmentation — Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Detection

  • Asset inventory — Ensure you have visibility into all your assets and there are no unknown hosts.
  • Appropriate logging – Detect application and OS indicators of compromise from across the kill chain while configuring enhanced logging where possible, such as command-line logging for PowerShell.
  • Network IDS – Inspect deep packets to provide visibility into application attacks and brute force techniques used to gain initial access and spread to other available hosts.
  • User behavior anomaly detection – Identify abnormal behaviors indicative of account compromise.
  • Anomalous account creations and modifications – Identify abnormal creations of new accounts and changes to existing account permissions used to establish persistence, lateral movement, and privilege escalation.
  • File integrity monitoring – Analyze changes made to files and the addition of new files into security sensitive directories, including those used for configuration settings and creating scheduled tasks or cron jobs.
  • Scheduled job analysis – Analyze source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.

 Response

  • Isolate the host – Isolate from the network once compromise is detected for containment.
  • Disable user credentials – Disable compromised credentials used to perform malicious actions.
  • Remove malicious files – Consider reverting the machine to a known safe version. Otherwise, remove malicious files and remove or revert maliciously modified files to a known safe version. Methods listed under detection can help identify which files require attention.
  • Remove malicious files – Consider reverting the machine to a known safe version. Otherwise, remove malicious files and remove or revert maliciously modified files to a known safe version. Methods listed under detection can help identify which files require attention.

Shared Intelligence

Tactics, Techniques and Procedures (TTP)/Capabilities

  • CVE-2022-26134 [Exploitation]
  • CVE-2021-3129 [Exploitation]
  • CVE-2017-5638 [Exploitation]
  • CVE-2017-9841 [Exploitation]
  • CVE-2018-20062 [Exploitation]
  • CVE-2019-10758 [Exploitation]
  • CVE-2017-11610 [Exploitation]
  • CVE-2020-16846 [Exploitation]
  • CVE-2018-7600 [Exploitation]
  • Hadoop YARN ResourceManager Unauthenticated Application Creation [Exploitation]
  • Mongo Express RCE [Exploitation]
  • SSH Authorized Keys –004
  • Ingress Tool Transfer – T1105
  • Cron –003
  • Network Service Scanning – T1046
  • Resource Hijacking –T1496
  • Scheduled Task – T1053
  • Unix Shell –004
  • Obfuscated Files or Information – T1027
  • Exploit Public-Facing Application – T1190
  • Brute Force – T1110
  • Build or acquire exploits – T1349
  • Command-Line Interface – T1059
  • Account Manipulation – T1098
  • One-Way Communication –003
  • Remote File Copy – T1105
  • PowerShell – T1086
  • Clear Command History – T1146
  • Valid Accounts – T1078
  • Web Protocols –001

Constant variables in the dropper scripts 

  • Cc
  • xmr
  • sys

 Infrastructure

  • 202[.]28[.]229[.]174/ap[.]txt
  • 202[.]28[.]229[.]174/ap[.]sh
  • 202[.]28[.]229[.]174/root[.]sh
  • 202[.]28[.]229[.]174/sys[.]x86_64
  • 202[.]28[.]229[.]174
  • 202[.]28[.]229[.]174/ap[.]sh?confwget
  • 202[.]28[.]229[.]174/ap[.]sh?confcurl
  • 194[.]145[.]227[.]21/ldr[.]sh?[a-z0-9]{8}
  • 194[.]145[.]227[.]21/sysrv[.]x86_64
  • 194[.]145[.]227[.]21/sysrv[.]<arch_type>
  • 194[.]145[.]227[.]21
  • xmr-eu1[.]nanopool[.]org|14444
  • f2pool[.]com|13531
  • minexmr[.]com|5555
  • xmr-eu1[.]nanopool[.]org
  • f2pool[.]com
  • minexmr[.]com
  • 51[.]255[.]34[.]80
  • 51[.]15[.]67[.]17
  • 51[.]255[.]34[.]79
  • 51[.]255[.]34[.]80|14444
  • 51[.]15[.]67[.]17|14444
  • 51[.]255[.]34[.]79|14444
  • 31[.]210[.]20[.]120/ldr[.]sh
  • 45[.]145[.]185[.]85
  • 185[.]239[.]242[.]70
  • 51[.]15[.]67[.]17
  • 51[.]255[.]34[.]80
  • 51[.]255[.]34[.]79
  • 31[.]210[.]20[.]120
  • 1 – UNINET-AS-AP UNINET-, TH – 4621
  • 3 – Online SAS, FR – 12876
  • 1 – AS-SERVERION, US – 399471
  • 1 – DEDIPATH-LLC, US – 35913
  • 6 – OVH, FR – 16276
  • 1 – NTSERVICE-AS, UA – 48693
  • 1 – AS_DELIS, US – 211252

Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Chocolate by scheduling a personalized MDR demo.

Additional Resources

Explore Alert Logic’s Project Ice Cream threat activity clusters blog series:

Josh Davies
About the Author
Josh Davies
Josh Davies is the Principal Technical Product Marketing Manager at Alert Logic. Formerly a security analyst and solutions architect, Josh has extensive experience working with mid-market and enterprise organizations, conducting incident response and threat hunting activities as an analyst before working with businesses to identify appropriate security solutions for challenges across cloud, on-premises, and hybrid environments.

Related Post

Ready to protect your company with Alert Logic MDR?