Intezer - Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers

Blog

Cybersecurity DNA

Pacha Group, A New Threat Actor Deploying Undetected Cryptojacking Campaigns on Linux Servers

Intezer
28.02.19 | 3:21 pm
Share:
FacebookTwitterLinkedIn

Key Takeaways:

Intezer has evidence of a new threat actor, calling it Pacha Group, which has been deploying undetected cryptojacking campaigns operating from compromised servers.

The cryptominer employed by Pacha Group, labeled Linux.GreedyAntd by Intezer, was completely undetected by all leading engines, demonstrating the sophistication of this malware.

The malware was found on the Linux platform and is employing sophisticated evasion techniques not commonly seen in today’s Linux threat landscape.

• The cryptominer is compromising third party servers and making them part of its infrastructure to attack additional servers. It is taking a very aggressive approach to eradicate other miners by actively scanning the system to eliminate them.

Introduction:

Cryptomining malware, also known as cryptojacking or cryptocurrency mining malware, is a relatively new cyber threat. It refers to the development of software which is designed to stealthily take over a computer’s resources and use the resources to mine bitcoin without the user’s permission.

Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines.

The new miner employed by Pacha Group, named Linux.GreedyAntd, has shown to be more sophisticated than the average Linux threat, using evasion techniques rarely seen in Linux malware. For example, when a payload is downloaded its timestamp is replaced to remain unnoticed in the file system. This technique is widely used in Windows systems but not in Linux threats. The miner also demonstrates a remarkably aggressive behavior, implementing techniques to disable or eliminate other miners to a high degree that have not been observed previously. Once in the system, Linux.GreedyAntd will kill all other miners in the server if it finds any, using the infected system for Pacha Group’s profit.

Pacha Group is believed to be of Chinese origin, and is actively delivering new campaigns, deploying a broad number of components, many of which are undetected and operating within compromised third party servers.

Technical Analysis:

Please visit https://www.intezer.com/blog-technical-analysis-pacha-group to view the full technical analysis and IOCs.

By Intezer

Intezer introduces a Genetic Malware Analysis approach, offering enterprises unparalleled and accelerated incident response. Intezer provides a fast, in-depth understanding of any file by mapping its code DNA at the ‘gene’ level — offering the most advanced level of malware analysis. By identifying the origins of every piece of code, Intezer is able to detect code reuse from known malware, as well as code that was seen in trusted applications.

Register to our free community

© Intezer.com 2019 All rights reserved