From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking
Sept. 17, 2024, 11:28 a.m.
Description
Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shell, followed by scripts that install IPRoyal Pawns for proxyjacking and TraffMonetizer for traffic monetization. The second campaign similarly injects a script that downloads and executes an ELF binary. This binary attempts privilege escalation, connects to Tor nodes for C2, and drops the 'perfcc' cryptominer. Both campaigns highlight the risks of misconfigured Selenium Grid instances and the need for proper authentication.
Tags
Date
- Created: Sept. 17, 2024, 11:14 a.m.
- Published: Sept. 17, 2024, 11:14 a.m.
- Modified: Sept. 17, 2024, 11:28 a.m.
Indicators
- 96969a8a68dadb82dd3312eee666223663ccb1c1f6d776392078e9d7237c45f2
- 95aa55faacc54532fdf4421d0c29ab62e082a60896d9fddc9821162c16811144
- 44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879
- 31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da
- 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
- 50.7.74.173
- 212.47.244.38
- 193.168.143.199
- 173.212.220.247
- 95.216.88.55
- 154.213.187.153
- www.xt3tiue7xxeahd5lbz.com
- www.os7mj54hx4pwvwobohhh6.com
- www.kdzdpvltoaqw.com
- www.fkxwama7ebnluzontqx2lq.com
- http://173.212.220.247/burjdubai/.jblae/y
- http://173.212.220.247/burjdubai/.jblae/pl
- funnyralph69@proton.me
Attack Patterns
- GSocket
- perfcc
- T1574.006
- T1053.003
- T1568.002
- T1070.003
- T1059.006
- T1027.002
- T1059.004
- T1070.004
- T1005
- T1496
- T1140