Threat Activity Cluster #2: Mint with Sprinkles

This blog was originally published by Alert Logic here.

Written by Josh Davies and Gareth Protheroe, Alert Logic.

Before diving into the Ice Cream activity cluster, be sure to read the series introduction here.

In this second blog in our ice cream activity clustering series we look back at the evolution of the Mint group, dubbed Mint Sprinkles. This blog is the culmination of years of work conducted by numerous individuals across global threat intelligence and SOC teams.

Why “Sprinkles”?

When we have sufficient evidence to suggest that the same threat actors are behind different activities, yet we observe a significant shift to either the capabilities, attacker infrastructure, or target victims, we build upon the established flavor (in this case, Mint) with a topping, such as sprinkles. This is to represent that although the same actors are likely behind the activity, the way in which we track or cluster the new activity is different. We still believe that this activity is Mint, but it has superficially and significantly evolved enough to warrant: Mint Sprinkles.

We discussed ‘Mint Evolution’ in the original Mint blog. To be clear, yes, changes were made to their TTPs which were worth discussing. However, the way in which we cluster and track the group was mostly unaffected. In this instance, the evolution altered how we cluster and codify the activity.

Evolution of Mint, to Mint Sprinkles

Mint typically look for vulnerable Linux servers, sends an RCE exploit to gain initial access, then sets up persistence mechanisms before hijacking the target’s resources to mine cryptocurrency.

The development observed in our dataset was a shift from Linux to targeting vulnerable Windows machines. The change in target OS required a drastic change in TTPs and capabilities for the actor to progress from initial access, hence the distinct evolution to Mint with Sprinkles.

Mint Sprinkles’ exploitation of Windows machines followed Mint’s earlier success in exploiting Linux machines running the Citrix Application Deliver Controller (ADC). Always looking for the latest RCE exploit, one of the exploits they moved onto was the 2020 Oracle WebLogic RCE. Successfully exploiting the vulnerability gave them remote access, but unlike the Citrix ADC, Oracle’s WebLogic software can run on both Linux and Windows systems.

Initially, we observed the classic Mint tactics on the Windows devices, pulling down .sh files and attempting to run Linux based commands unsuccessfully. Threat Hunters discovered Windows PowerShell logs that effectively said; “command doesn’t exist.” Mint would understand that for them to get to this stage, the exploit had been successful, but a good portion of victims were no longer moving onto the installation stage.

Mint tends to use spray and pray techniques to find vulnerable servers. Often attempting the exploit as their first action, thereby condensing the recon, delivery, and exploit stages of the kill chain.

In scenarios where we did observe a distinct recon and exploit phase, it was noted that no operating system ID was included, meaning Mint was not looking to differentiate between operating systems. It is our hypothesis that the shift to using Windows tactics was the group adjusting TTPs to capitalize on the inadvertent access to Windows machines they had gained during the Oracle WebLogic campaign.

Essentially, they now had control of Windows machines and Linux machines, but their existing TTPs would not allow them to monetize this access on the Windows machines.

This resulted in the creation of a new set of Windows centric capabilities, taking a different route but ultimately ending at the same outcome, dropping crypto miners.

The techniques, tactics, and procedures used remain consistent in the reconnaissance, delivery, and exploit phase across both Mint and Mint Sprinkles. Shifting focus to Windows servers required Mint Sprinkles to employ tactics that will work on windows machines, but key common indicators remained. For example, a consistent filename was observed, with the addition of a ‘w’ character to flag for windows, and a change in dropper filetype.

The first .xml dropper pulled a second dropper, 1.ps1, which would kill off known competition, other miners, kill security prevention processes (such as EDR) and establish persistence via a scheduled task.

Mint Sprinkles then pulled an XMRIG miner, alongside a config.json file which included instructions on how to mine, the login details, the mining pool, and established command and control to the miner. Elements of the configuration have been consistent across victims and have been used to help attribute activity to Mint and Mint Sprinkles.

The actions performed by the new files resulted in the same outcomes typical of Mint. The attacker infrastructure also remained consistent in both Mint and Mint Sprinkles; again, they favored Russian and ex-Soviet IP addresses. Please keep in mind that the attacker infrastructure geo-locations do not amount to attribution.

All the points discussed, as well as indicators we have withheld from publication, strongly suggest that this is an evolution of the Mint flavor. The adaptation of the flavor’s capabilities to work with Windows machines warrants a distinction in nomenclature – hence Mint Sprinkles.

All shared intelligence on Mint Sprinkles can be found at the bottom of this page. Happy hunting.

You can find other blogs in the activity cluster here:

• Previous (1): Mint
• Next (3): Strawberry
• Cluster 4: Strawberry Sprinkles
• Cluster 5: Pistachio

About the Authors

Josh Davies is a Product Manager at Alert Logic by HelpSystems. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.

Gareth Protheroe is a Sans certified (GCTI) senior security analyst at Alert Logic by HelpSystems. Gareth has a background in chemical science and currently spearheads Alert Logic’s threat hunting activities conducted by the SOC and threat intelligence teams.