From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking
Sept. 17, 2024, 11:28 a.m.
Tags
External References
Description
Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shell, followed by scripts that install IPRoyal Pawns for proxyjacking and TraffMonetizer for traffic monetization. The second campaign similarly injects a script that downloads and executes an ELF binary. This binary attempts privilege escalation, connects to Tor nodes for C2, and drops the 'perfcc' cryptominer. Both campaigns highlight the risks of misconfigured Selenium Grid instances and the need for proper authentication.
Date
Published: Sept. 17, 2024, 11:14 a.m.
Created: Sept. 17, 2024, 11:14 a.m.
Modified: Sept. 17, 2024, 11:28 a.m.
Indicators
96969a8a68dadb82dd3312eee666223663ccb1c1f6d776392078e9d7237c45f2
95aa55faacc54532fdf4421d0c29ab62e082a60896d9fddc9821162c16811144
44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879
31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
50.7.74.173
212.47.244.38
193.168.143.199
173.212.220.247
95.216.88.55
154.213.187.153
www.xt3tiue7xxeahd5lbz.com
www.os7mj54hx4pwvwobohhh6.com
www.kdzdpvltoaqw.com
www.fkxwama7ebnluzontqx2lq.com
http://173.212.220.247/burjdubai/.jblae/y
http://173.212.220.247/burjdubai/.jblae/pl
funnyralph69@proton.me
Attack Patterns
GSocket
perfcc
T1574.006
T1053.003
T1568.002
T1070.003
T1059.006
T1027.002
T1059.004
T1070.004
T1005
T1496
T1140
CVE-2021-4043