DERO cryptojacking adopts new techniques to evade detection
June 14, 2024, 10:35 a.m.
Tags
External References
Description
This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binary, and additional tools they likely used beyond Kubernetes exploitation. The report also provides defense recommendations and indicators of compromise.
Date
Published: June 14, 2024, 10:11 a.m.
Created: June 14, 2024, 10:11 a.m.
Modified: June 14, 2024, 10:35 a.m.
Indicators
e1de787777faba85dcca4e10d945553aefdba14b1995cca7cf0721ee571c7e96
e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf
d6b14a4fbe5b9adbc0094098b4690ba5f5426247e21474915c408ca4553fcd49
ad2ee0040f88a9001a32f945ce15de2dd1126c0f9f6cb626f2de0163792d8ff7
9131aac1df4b3a610f5fe69c55fdc19f07055648c0081e61536eb903e0914dc2
68656198c24d6b32c4916a5686906c62baf7d6baae3b1d7dc615e43cb6d3fca8
649a6fa70b26e5382652808348522b5e7f43f2f77a1b10a4cc5e5bfd5cb80327
561790bd60258e056c72755bbaf848cfe5c3af548882c6a6579a599192bce3d2
49e8422e5f273a564c15755711ab2a35a1deb2105bbe1a0a8ce670c9b38721e5
06d080c816f099cccab56e4b596128e73cd63f524bdc2ddf5dd78c26f409f219
209.141.32.182
http://209.141.32.182/cloud
update.windowsupdatesupport.link
name.windowsupdatesupport.link
h.windowsupdatesupport.link
d.windowsupdatesupport.link
windowsupdatesupport.link
nyryxagi7nifpk5faxmqcy8hpthmnfa9et.tt
Attack Patterns
DERO miner
T1610
T1027.002
T1036.005
T1070
T1105
T1496
T1140
T1190