The Pacha Group is a threat actor discovered by Intezer and profiled in a blog post published on February 28, 2019. Dating back to September 2018 the Pacha Group has deployed undetected crypto-mining malware to infiltrate Linux servers and mine cryptocurrency without user permissions.

One of the more notable observations discerned by Intezer researchers was the remarkably aggressive behavior exhibited by the Pacha Group’s crypto-mining malware, named Linux.GreedyAntd, which was using a large number of techniques to disable or eliminate other miners on the servers.

Intezer researchers have discovered that the Pacha Group is now targeting cloud-based infrastructures, while identifying new, undetected variants of Linux.GreedyAntd which share significant amounts of code with previous variants. Like previous versions, the malware being used is mainly focused on cryptomining, this time with some updated operational mechanisms.

Cryptominers can interfere with the normal operation of production servers and can cause challenges to business continuity and financial loss due to excessive resource consumption. Within these new variants, strong evidence suggests that the Pacha Group is largely focused on disabling previously installed cryptominers from the Rocke cybercrime group, competing with the threat group to obtain the largest foothold of computing power to carry out their malicious mining efforts.

The Rocke Group was first reported by Cisco Talos researchers and is also known to target cloud-based environments. The Rocke Group has been deploying sophisticated crypto-mining campaigns in Linux servers and cloud-based environments as reported in January 2019 by Palo Alto Unit 42.

There is also strong evidence to suggest that the attack vector was a known vulnerability published on Atlassian Confluence in March 2019.

Mitigation Recommendations

1) Checking for infection – We have published YARA rules that can help users scan the filesystem or memory of their Linux machines to check for Linux.GreedyAntd infections: GitHub. We have also published relevant IOCs for this threat in our full technical analysis report.

2) Remediation / Clean up – Due to the Pacha Group’s aggressive persistence mechanisms such as rootkits and multiple implants, we recommend that the most effective way to clean up an infected system is to restore it from its backup, or if possible, terminate and start a new server.

3) Vulnerability patching – Refer to the recent Atlassian vulnerability disclosure for instructions on how to patch the vulnerable Confluence version.

Conclusion

By searching for and disabling previously installed cryptominers from other cybercrime groups, namely the Rocke Group, the Pacha Group is competing to obtain a foothold of computing power on the cloud for malicious crypto-mining activities.

We believe that these findings are relevant within the context of raising awareness about cloud-native threats, particularly on vulnerable Linux servers. While threat actor groups are competing with one another, this evidence may suggest that threats to cloud infrastructure are increasing. Unfortunately detection rates of Linux-based malware remain low and the security industry needs more awareness to more effectively mitigate these threats.

Technical Analysis and IOCs

To view the full technical analysis and IOCs, please visit https://intezer.com//blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud.