Summary:
Threat actor MUT-1244, tracked by DataDog, has been conducting a widespread and multifaceted campaign targeting a range of individuals, including academics, security researchers, pentesters, red teamers, and even other threat actors. The group’s primary goal is to steal sensitive data such as AWS access keys, WordPress credentials, private SSH keys, bash history, and other critical system information. Their operations revolve around phishing campaigns, "ClickFix" attacks, and malicious GitHub repositories containing backdoored proof-of-concept exploits or npm packages designed to deceive victims into compromising their systems.

One of their most notable tactics involved scraping email addresses from academic papers published on the open-access archive arXiv. Between October 5 and October 21, 2024, they sent phishing emails to academics and researchers, urging them to install a fraudulent CPU microcode update. Victims were instructed to run a malicious script, patch-mc-0x129.sh, hosted on a GitHub repository. Executing the script delivered the xmrdropper payload, a sophisticated malware that not only updates a cryptocurrency miner but also backdoors systems and exfiltrates critical data. The stolen data, including system information, private SSH keys, and environment variables, is uploaded to the file-sharing service file[.]io. This campaign marks one of the first documented “ClickFix”-style attacks targeting Linux systems.


Security Officer Comments:
In parallel, MUT-1244 has also targeted security researchers and offensive actors by setting up numerous GitHub repositories hosting fake or trojanized PoC exploit code. These repositories often masqueraded as legitimate projects, enticing researchers to download and execute the xmrdropper malware. Additionally, the group created a GitHub project, hpc20235/yawpp, which offered a seemingly useful tool for validating WordPress credentials. However, using the tool required users to install the @0xengine/xmlrpc npm package as a dependency. This package, hosted on the NPM registry since October 2023, avoided detection due to its seemingly legitimate functionality and regular updates. Once installed, it delivered xmrdropper, mined cryptocurrency, and exfiltrated sensitive files, such as those in the ~/.aws directory, to Dropbox. The malware executed data exfiltration every 12 hours while actively mining cryptocurrency on compromised systems.

Suggested Corrections:

IOCs:
https://checkmarx.com/blog/dozens-o...attack-combines-crypto-mining-and-data-theft/

Despite the breadth and persistence of their operations, MUT-1244’s operational carelessness has allowed researchers at DataDog and Checkmarx to connect the dots and trace their activities. These lapses provided insights into the attacker’s infrastructure and methods, enabling the researchers to share detailed indicators of compromise (IOCs) with the community. As of late November 2024, up to 68 systems were confirmed to be actively mining cryptocurrency through the attacker’s Monero wallet, with hundreds of victims still potentially compromised. DataDog and Checkmarx have emphasized the importance of reviewing these IOCs to identify potential breaches and mitigate the ongoing risks posed by this threat actor.

Link(s):
https://www.helpnetsecurity.com/202...-researchers-threat-aws-wordpress-data-theft/