Threat Activity Cluster #3: Strawberry

This blog was originally published by Alert Logic here.

Written by Josh Davies and Gareth Protheroe, Alert Logic.

The next flavor from the Alert Logic data set in the activity clustering series is Strawberry.

Before diving into this activity cluster, be sure to read the series introduction here.

And continue with the rest of the series by clicking the links below:

• Cluster 1: Mint
• Previous (2): Mint Sprinkles
• Next (4): Strawberry Sprinkles
• Cluster 5: Pistachio

Tactics, Techniques and Procedures

Strawberry has been seen to favor two primary exploits for gaining entry onto a vulnerable machine. We have observed the flavor exploiting the Apache Solr remote code execution (RCE) vulnerability (CVE-2019-17558) and a Confluence OGNL exploit (CVE-2021-26084).

Strawberry was late to the game, or did not initially target our customers, with the 2019 Apache Solr RCE, as we did not observe the flavor during our initial threat hunts as part of our emerging threat process. They still saw some success with the vulnerability, maybe because Apache themselves were slow to release a fix, or more likely, a product of the sad truth that many organizations are not able to patch their vulnerable systems quickly or frequently enough.

In 2021, it was a different story – the flavor was on our radar from the start, as they mounted a campaign targeting vulnerable confluence servers as the vulnerability was emerging. Targetting the vulnerability so early meant the group had more success in exploiting machines before mitigations could be put in place.

Fortunately, our threat intelligence team had earmarked Java as an inherently vulnerable language, where we anticipated future zero-day vulnerabilities or derivatives to be discovered. This foresight meant we already had forward-thinking wideband telemetry signatures in place that our threat hunters reviewed periodically, which in turn meant we had early warning of this new exploit and could detect and facilitate timely responses for affected customers.

By the end of 2021, Strawberry were identified during the Log4Shell landgrab, relying on the ubiquity of java applications running the vulnerable logging module top gain initial access. By this point our understanding of Strawberry was comprehensive, so including the novel exploit did not impede our ability to detect the group, as the attacker infrastructure, scripts, malware, and unique indicators were understood. Finding the exploit was a case of filling in the gaps and the aforementioned foresight of our security researchers in creating telemetry for Java applications, once again proved fruitful.

The RCE exploits enabled Strawberry to instruct the victim machine to reach out and download malicious files and scripts to begin the installation phase. The malicious files that were pulled to infected hosts during installation were hosted on pastebin[.]com, which is a website that allows users to share plain text files through public posts called ‘pastes.’ The site is very popular, with 17 million monthly users, commonly looking to share legitimate code. Pastebin is often abused by threat actors as it is a free resource where you can easily and anonymously host code, making it a simple location to house malicious code.

Of course, as a legitimate website, Pastebin is frequently taking down pastes that do not adhere to its code of conduct. Therefore, the Strawberry group was forced to use numerous files to ensure one was available while the Pastebin admins work to identify and remove the malicious content. Once the dropper is pulled from Pastebin, double persistence is established by creating a new service (typically named javae[.]service) and setting up a new cron job (Linux equivalent of scheduled task).

Strawberry proceeds to pull down crypto-miner files, hijacking the victim’s resources to create a steady monetary output for the flavor… if undetected.

Interestingly, the mining configurations differ between each victim, although the method of setup remains consistent. The working hypothesis here is that Strawberry is more concerned with their financial outcomes being attributed to malicious activity than they are with their malicious activities being identified.

They have demonstrated the ability to change the superficial, simpler indicators of campaigns, such as attacker infrastructure, but not the areas that are more sophisticated, like the tactics, techniques and procedures (TTPs) used once they gain initial access.

Flavor Infrastructure

Generally, Strawberry makes use of public cloud infrastructure, namely AWS and the South Korean AWS region, during the recon to exploit phases. By using public cloud infrastructure, Strawberry can quickly generate and burn machines and IP addresses to circumvent any blocklists they may have added to during active reconnaissance. In the latter stages, they move away from AWS but still use IPs consistent with South Korea, with a rouge Google address being the exception.

It is important to emphasize that the geographical location of the infrastructure used by the attacker does not amount to attribution. While this information is helpful in identifying the flavor’s actions, the Korean infrastructure preference does not equate to Korean actors. The Pastebin file and the crypto-miner configuration variations observed present the greatest variations seen in Strawberry’s actions. Otherwise, Strawberry’s modus operandi has limited variations when compared to other documented flavors.

Reflections

A good comparison can be made with Mint, who also seek vulnerable Linux servers, indiscriminate of sector or organization. However, Mint regularly revisits their tactics, making changes to naming conventions and subtle, superficial changes to code in an attempt to evade detection and prevention controls. In contrast, our threat hunters view Strawberry as a fairly basic flavor with more static indicators.

Furthermore, the use of Pastebin and public cloud infrastructure to host files and mount stages of the attacks, suggest an immaturity in the flavors ability to create and host their own infrastructure.

Readers may have noticed other similarities between Mint and Strawberry, including similarities in the kill chain sequence leading to the same outcome: crypto mining. At a glance it’s fair to believe that these flavors could be combined and classified together; however, the subtleties in how we detect a Mint vs. Strawberry are significant, such as the combinations of differences found in both infrastructure and capabilities. Ultimately, the activity clusters are distinct making it very likely they are not the same actor/group.

By separating out the two flavors we are better equipped to identify compromise earlier, know exactly what/where to look next, and ultimately provide a comprehensive and thorough remediation plan for our customers. The documented intelligence of the Strawberry activity cluster allows us to holistically respond to a compromise, by extrapolating likely next steps from our established understanding.

Read about the next activity cluster, Strawberry Sprinkles, here.

About the Authors

Josh Davies is a Product Manager at Alert Logic by HelpSystems. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.

Gareth Protheroe is a Sans certified (GCTI) senior security analyst at Alert Logic by HelpSystems. Gareth has a background in chemical science and currently spearheads Alert Logic’s threat hunting activities conducted by the SOC and threat intelligence teams.