During our daily threat hunting activities in our 4000+ customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.
Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?
To learn more about Project Ice Cream and threat activity clusters, read the series’ introductory blog here.
In this second blog in our threat activity cluster series, we look back at an historic actor we’ve dubbed Mint with Sprinkles.
Why “Sprinkles”?
When we have sufficient evidence to suggest that the same threat actors are behind different activities, but we observe a significant shift to either the capabilities, attacker infrastructure, or target victims, we build upon the established flavor (in this case, Mint) with a topping, such as sprinkles. This is to represent that although the same actors are likely behind the activity, the way in which we track or cluster the new activity is different. We still believe that this activity is Mint, but it has superficially and significantly evolved enough to warrant Mint with Sprinkles.
You may have noticed that we discussed “Mint Evolution” in one of the headings in the original Mint blog. To be clear, yes, changes were made to their TTPs which were worthwhile discussing. However, the way in which we cluster, and therefore track the group, was mostly unaffected. In this instance, the evolution altered how we cluster and codify the activity.
Evolution of Mint to Mint with Sprinkles
As previously documented, Mint typically looks for vulnerable Linux servers, sends an RCE exploit to gain initial access, then sets up persistence mechanisms before hijacking the target’s resources to mine cryptocurrency.
The development observed in the Alert Logic dataset was a shift from targeting Linux to targeting vulnerable Windows machines. The change in target OS required a drastic change in TTPs and capabilities, hence the distinct evolution to Mint with Sprinkles.
Mint with Sprinkles exploitation of Windows machines followed Mint’s earlier success in exploiting Linux machines running the Citrix Application Deliver Controller (ADC). Always looking for the latest RCE exploit, one of the exploits they moved onto was the 2020 Oracle WebLogic RCE. Successfully exploiting the vulnerability gave them remote access, but unlike the Citrix ADC, Oracle’s WebLogic software can run on both Linux and Windows systems.
Initially, we observed the classic Mint tactics on the Windows devices, pulling down .sh files and attempting to run Linux based commands unsuccessfully. Threat hunters discovered Windows PowerShell logs that effectively said; “command doesn’t exist.” Mint would understand that for them to get to this stage, the exploit had been successful, but a good portion of victims were no longer moving onto the installation stage.
Mint tends to use spray-and-pray techniques to find vulnerable servers. Often attempting the exploit as their first action, thereby condensing the recon, delivery, and exploit stages of the kill chain.
In scenarios where we did observe a distinct recon and exploit phase, it was noted that no operating system ID was included, meaning Mint was not looking to differentiate between operating systems. It is our hypothesis that the shift to Windows tactics was the group’s response to capitalize on the inadvertent access to Windows machines they had gained during the Oracle WebLogic campaign.
Essentially, they now had control of Windows and Linux machines, but their existing TTPs would not allow them to monetize this access on the Windows machines.
This resulted in the creation of a new set of Windows centric capabilities, taking a different route but ultimately ending at the same outcome, dropping crypto miners.
The techniques, tactics, and procedures used remain consistent in the reconnaissance, delivery, and exploit phase across both Mint and Mint Sprinkles. Shifting focus to Windows servers required Mint with Sprinkles to employ tactics that will work on windows machines, but key common indicators remained. For example, a consistent filename was observed, with the addition of a ‘w’ character to flag for windows, and a change in dropper filetype.
The first .xml dropper pulled a second dropper, 1.ps1, which would kill off known competition, other miners, kill security prevention processes (such as EDR), and establish persistence via a scheduled task.
Mint with Sprinkles then pulled an XMRIG miner, alongside a config.json file which included instructions on how to mine, the login details, the mining pool, and established command and control to the miner. Elements of the configuration have been consistent across victims and have been used to help attribute activity to Mint and Mint with Sprinkles.
The actions performed by the new files resulted in the same outcomes typical of Mint. The attacker infrastructure also remained consistent in both Mint and Mint Sprinkles; again, they favored Russian and ex-Soviet IP addresses. Keep in mind that the attacker infrastructure geolocations do not amount to attribution.
All the points discussed – as well as indicators we have withheld from publication – strongly suggest this is an evolution of the Mint flavor. The adaptation of the flavor’s capabilities to work with Windows machines warrants a distinction in nomenclature – hence Mint with Sprinkles.
Known Exploits Used
- CVE-2020-14882 [exp]
- CVE-2020-14750 [exp]
TTPs
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- Constant User-Agent [recon/delivery/exploit/C2]
- …w.xml [inst dropper]
- 1.ps1 [inst AoO]
- Scheduled Task/Job: Scheduled Task – T1053.005 [inst/persistence]
- config.json [inst/AoO]
- xmrig.exe [inst/AoO]
- Ingress Tool Transfer – T1105 [inst/C2]
- XMRIG Crypto mining [AoO]
- Resource hijacking – T1496 [AoO]
Targets
- Vulnerable Windows Servers
Flavor Infrastructure
- PINDC-AS [recon]
- RMINJINERING [recon]
- SELECTEL [recon]
- LLC BAXET [Inst]
- EUROBYTE Eurobyte LLC [inst]
- NTSERVICE-AS [inst]
Actions on Objectives
- Crypto mining (XMRIG)
Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Mint with Sprinkles by scheduling a personalized MDR demo.
Additional Resources
Explore Alert Logic’s Project Ice Cream threat activity cluster blog series:
