DERO cryptojacking adopts new techniques to evade detection

June 14, 2024, 10:35 a.m.

Tags
cloud
kubernetes
cryptojacking
2024-06-14
dero miner
External References
Description

This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binary, and additional tools they likely used beyond Kubernetes exploitation. The report also provides defense recommendations and indicators of compromise.

Date

Published: June 14, 2024, 10:11 a.m.

Created: June 14, 2024, 10:11 a.m.

Modified: June 14, 2024, 10:35 a.m.

Indicators

e1de787777faba85dcca4e10d945553aefdba14b1995cca7cf0721ee571c7e96

e4aa649015b19a3c3350b0d897e23377d0487f9ea265fe94e7161fed09f283cf

d6b14a4fbe5b9adbc0094098b4690ba5f5426247e21474915c408ca4553fcd49

ad2ee0040f88a9001a32f945ce15de2dd1126c0f9f6cb626f2de0163792d8ff7

9131aac1df4b3a610f5fe69c55fdc19f07055648c0081e61536eb903e0914dc2

68656198c24d6b32c4916a5686906c62baf7d6baae3b1d7dc615e43cb6d3fca8

649a6fa70b26e5382652808348522b5e7f43f2f77a1b10a4cc5e5bfd5cb80327

561790bd60258e056c72755bbaf848cfe5c3af548882c6a6579a599192bce3d2

49e8422e5f273a564c15755711ab2a35a1deb2105bbe1a0a8ce670c9b38721e5

06d080c816f099cccab56e4b596128e73cd63f524bdc2ddf5dd78c26f409f219

209.141.32.182

http://209.141.32.182/cloud

Download all indicators here!

Attack Patterns

DERO miner

T1610

T1027.002

T1036.005

T1070

T1105

T1496

T1140

T1190