Industry News

UNC1142: Bitcoin Core Developer Targeted With Multiple Linux Backdoors

Matt SuicheThis memory analysis post is authored by Matt Suiche (Director, Memory, IR & R&D).

On November 17, 2022, Bitcoin Core developer, Luke Dashjr, reported on his Mastodon account that an unauthorized user had accessed his Linux server. This resulted in a targeted cryptocurrency heist, as well as the theft of his PGP key, as disclosed in a Mastodon message on January 1, 2023.

In this post, we’ll explore the breach and share some tactics, techniques, and best practices when dealing with this type of situation.

Taking a Deeper Look at an Unusual Linux Attack

This scenario is highly unusual and presents a valuable opportunity to gain insight into the modus operandi of a Linux attack. Security researcher Taha Karim (@lordx64) was able to obtain a copy of the samples from Luke Dashjr and has recently published a deep dive analysis of the three Linux samples shared with him by Luke Dashjr.

The initial infection vector of the Linux server remains unconfirmed. Luke initially speculated that it may have been due to a compromised installer of Bitcoin Knots, but no supply chain attacks have been reported. However, he later suspected that the infection might have been triggered by an “external media” being mounted on the system. The presence of a kernel rootkit cannot be confirmed, due to lack of access to the compromised endpoint. Luke also confirmed that his workstation was likely compromised, although the method by which the attackers spread from one system to the other is currently unclear.

In his technical analysis, Taha Karim (@lordx64), refers to the uncategorized cluster of activity as UNC1142 containing the following backdoors and tools:

In this case, a targeted operation against an individual was used to steal and abuse information on a Linux endpoint, resulting in a financial loss. This is a rare occurrence, as most currently known and active information-stealing campaigns, such as the Vidar stealer, typically target Windows systems through malvertising. These campaigns often distribute infected installers of popular software, such as OBS Studio, targeting streamers and YouTubers. These attacks have affected users from the crypto community, resulting in financial losses, as disclosed by Twitter user NFT_GOD on January 14, 2023. Other software commonly targeted in these campaigns include AnyDesk, Notepad++, Winrar, CCleaner, Blender 3D, 7-Zip, Gimp, VLC and others. We expect to see more attacks like this, which provide a clear path to profit, as ransomware victims refuse to pay attackers resulting in a 40% drop in ransomware profits in 2022.

Timeline

  • 17 November 2022 – Luke Dashjr shared a Mastodon message indicating his server has been accessed by an unauthorized user.
  • 1 January 2023 – Luke Dashjr shared a Mastodon message indicating his PGP key is compromised and that his cryptocurrency has been stolen.
  • 2 January 2023 – Taha Karim reached out to Luke Dashjr to have a copy of the samples.
  • 19 January 2023 – Taha Karim published the backdoors analysis.

Indicator of Compromise (IOCs)

SHA256 file hashes

  • 802e6e0ecf1af2e85a732b5c38b4ee1a490fb1e4c468b4dff1805d8a0ad05f7e – Installer.NIGHTRAVEN
  • 5252128f60c2485784310d32d8a5b4a7f172c89b1d280a33f53abd1011a1645d – Backdoor.DARKSABER
  • 9028e379ec23c1e52f209143e2f740c8678fcbf3d03599439eca3fdd833f263d – Backdoor.SHADOWSTRIKE
  • 873df01c63a60cf9456c1446c2f69174e848d55936faaf7360dd47fd2c616829 – Backdoor.SHADOWSTRIKE

Network

80.85.155.34:27032SHADOWSTRIKE C2
80.85.155.34:2475SHADOWSTRIKE C2
45.14.224.223NIGHTRAVEN
8.6.8.62:8443DARKSABER C2

MITRE ATT&CK TTPs

TacticTechniques
ReconnaissanceT1589 – Gather Victim Identity Information
Resource DevelopmentT1584.004 – Compromise Infrastructure: Server
Resource DevelopmentT1587.001 – Develop Capabilities: Malware
ExecutionT1053.003 – Scheduled Task/Job: Cron
PersistenceT1547 – Boot or Logon Autostart Execution
Privilege EscalationT1548 – Abuse Elevation Control Mechanism
DiscoveryT1083 – File and Directory Discovery
CollectionT1005 – Data from Local System
Command and ControlT1571 – Non-Standard Port
Command and ControlT1573 – Encrypted Channel
ExfiltrationT1041 – Exfiltration Over C2 Channel

Incident Response Best Practice

As part of your incident response plan, imaging not only the physical disk but the volatile memory of the potentially compromised system enables a deep dive investigation so you can analyze it offline. Also, this allows you to preserve evidence as attackers, especially in the scenarios of targeted attacks, may very likely still have access to your system and may destroy evidence as they go as part of their OPSEC.

Furthermore, in the case of sophisticated attackers who may be using kernel rootkits to hide their presence, you may not be able to find anything about them without conducting a deep dive analysis.

A very efficient way to image your system is to perform a memory acquisition of your compromised system using MAGNET DumpIt For Linux or MAGNET DumpIt for Windows, this will also help you to keep the evidence intact. Download these tools for free today over at our Free Tools page.

Holo, transparent letter M

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top