UNC1142: Bitcoin Core Developer Targeted With Multiple Linux Backdoors
This memory analysis post is authored by Matt Suiche (Director, Memory, IR & R&D).
On November 17, 2022, Bitcoin Core developer, Luke Dashjr, reported on his Mastodon account that an unauthorized user had accessed his Linux server. This resulted in a targeted cryptocurrency heist, as well as the theft of his PGP key, as disclosed in a Mastodon message on January 1, 2023.
In this post, we’ll explore the breach and share some tactics, techniques, and best practices when dealing with this type of situation.
Taking a Deeper Look at an Unusual Linux Attack
This scenario is highly unusual and presents a valuable opportunity to gain insight into the modus operandi of a Linux attack. Security researcher Taha Karim (@lordx64) was able to obtain a copy of the samples from Luke Dashjr and has recently published a deep dive analysis of the three Linux samples shared with him by Luke Dashjr.
The initial infection vector of the Linux server remains unconfirmed. Luke initially speculated that it may have been due to a compromised installer of Bitcoin Knots, but no supply chain attacks have been reported. However, he later suspected that the infection might have been triggered by an “external media” being mounted on the system. The presence of a kernel rootkit cannot be confirmed, due to lack of access to the compromised endpoint. Luke also confirmed that his workstation was likely compromised, although the method by which the attackers spread from one system to the other is currently unclear.
In his technical analysis, Taha Karim (@lordx64), refers to the uncategorized cluster of activity as UNC1142 containing the following backdoors and tools:
- DARKSABER (TinyShell backdoor variant)
- SHADOWSTRIKE (A Perl-based backdoor)
- NIGHTRAVEN (Installer for DARKSABER + SHADOWSTRIKE)
In this case, a targeted operation against an individual was used to steal and abuse information on a Linux endpoint, resulting in a financial loss. This is a rare occurrence, as most currently known and active information-stealing campaigns, such as the Vidar stealer, typically target Windows systems through malvertising. These campaigns often distribute infected installers of popular software, such as OBS Studio, targeting streamers and YouTubers. These attacks have affected users from the crypto community, resulting in financial losses, as disclosed by Twitter user NFT_GOD on January 14, 2023. Other software commonly targeted in these campaigns include AnyDesk, Notepad++, Winrar, CCleaner, Blender 3D, 7-Zip, Gimp, VLC and others. We expect to see more attacks like this, which provide a clear path to profit, as ransomware victims refuse to pay attackers resulting in a 40% drop in ransomware profits in 2022.
Timeline
- 17 November 2022 – Luke Dashjr shared a Mastodon message indicating his server has been accessed by an unauthorized user.
- 1 January 2023 – Luke Dashjr shared a Mastodon message indicating his PGP key is compromised and that his cryptocurrency has been stolen.
- 2 January 2023 – Taha Karim reached out to Luke Dashjr to have a copy of the samples.
- 19 January 2023 – Taha Karim published the backdoors analysis.
Indicator of Compromise (IOCs)
SHA256 file hashes
- 802e6e0ecf1af2e85a732b5c38b4ee1a490fb1e4c468b4dff1805d8a0ad05f7e – Installer.NIGHTRAVEN
- 5252128f60c2485784310d32d8a5b4a7f172c89b1d280a33f53abd1011a1645d – Backdoor.DARKSABER
- 9028e379ec23c1e52f209143e2f740c8678fcbf3d03599439eca3fdd833f263d – Backdoor.SHADOWSTRIKE
- 873df01c63a60cf9456c1446c2f69174e848d55936faaf7360dd47fd2c616829 – Backdoor.SHADOWSTRIKE
Network
| 80.85.155.34:27032 | SHADOWSTRIKE C2 |
| 80.85.155.34:2475 | SHADOWSTRIKE C2 |
| 45.14.224.223 | NIGHTRAVEN |
| 8.6.8.62:8443 | DARKSABER C2 |
MITRE ATT&CK TTPs
| Tactic | Techniques |
| Reconnaissance | T1589 – Gather Victim Identity Information |
| Resource Development | T1584.004 – Compromise Infrastructure: Server |
| Resource Development | T1587.001 – Develop Capabilities: Malware |
| Execution | T1053.003 – Scheduled Task/Job: Cron |
| Persistence | T1547 – Boot or Logon Autostart Execution |
| Privilege Escalation | T1548 – Abuse Elevation Control Mechanism |
| Discovery | T1083 – File and Directory Discovery |
| Collection | T1005 – Data from Local System |
| Command and Control | T1571 – Non-Standard Port |
| Command and Control | T1573 – Encrypted Channel |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
Incident Response Best Practice
As part of your incident response plan, imaging not only the physical disk but the volatile memory of the potentially compromised system enables a deep dive investigation so you can analyze it offline. Also, this allows you to preserve evidence as attackers, especially in the scenarios of targeted attacks, may very likely still have access to your system and may destroy evidence as they go as part of their OPSEC.
Furthermore, in the case of sophisticated attackers who may be using kernel rootkits to hide their presence, you may not be able to find anything about them without conducting a deep dive analysis.
A very efficient way to image your system is to perform a memory acquisition of your compromised system using MAGNET DumpIt For Linux or MAGNET DumpIt for Windows, this will also help you to keep the evidence intact. Download these tools for free today over at our Free Tools page.