DERO cryptojacking adopts new techniques to evade detection

June 14, 2024, 10:35 a.m.

Description

This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binary, and additional tools they likely used beyond Kubernetes exploitation. The report also provides defense recommendations and indicators of compromise.

External References

https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection
https://otx.alienvault.com/pulse/666c175fe42e7c21fbdbfa27
Tags
cloud
kubernetes
cryptojacking
2024-06-14
dero miner

Date

  • Created: June 14, 2024, 10:11 a.m.
  • Published: June 14, 2024, 10:11 a.m.
  • Modified: June 14, 2024, 10:35 a.m.

Indicators

  • e1de787777faba85dcca4e10d945553aefdba14b1995cca7cf0721ee571c7e96
  • e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf
  • d6b14a4fbe5b9adbc0094098b4690ba5f5426247e21474915c408ca4553fcd49
  • ad2ee0040f88a9001a32f945ce15de2dd1126c0f9f6cb626f2de0163792d8ff7
  • 9131aac1df4b3a610f5fe69c55fdc19f07055648c0081e61536eb903e0914dc2
  • 68656198c24d6b32c4916a5686906c62baf7d6baae3b1d7dc615e43cb6d3fca8
  • 649a6fa70b26e5382652808348522b5e7f43f2f77a1b10a4cc5e5bfd5cb80327
  • 561790bd60258e056c72755bbaf848cfe5c3af548882c6a6579a599192bce3d2
  • 49e8422e5f273a564c15755711ab2a35a1deb2105bbe1a0a8ce670c9b38721e5
  • 06d080c816f099cccab56e4b596128e73cd63f524bdc2ddf5dd78c26f409f219
  • 209.141.32.182
  • http://209.141.32.182/cloud
  • update.windowsupdatesupport.link
  • name.windowsupdatesupport.link
  • h.windowsupdatesupport.link
  • d.windowsupdatesupport.link
  • windowsupdatesupport.link
  • nyryxagi7nifpk5faxmqcy8hpthmnfa9et.tt
Download all indicators here!

Attack Patterns

  • DERO miner
  • T1610
  • T1027.002
  • T1036.005
  • T1070
  • T1105
  • T1496
  • T1140
  • T1190