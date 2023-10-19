Researchers have discovered a new attack campaign that compromises Jupyter Notebook instances and deploys cryptojacking malware. The operation uses Discord for command and control and steals AWS and Google Cloud credentials from compromised servers.

“Qubitstrike is a relatively sophisticated malware campaign, spearheaded by attackers with a particular focus on exploitation of cloud services,” researchers from cloud forensics and incident response firm Cado Security said in a report. “Jupyter Notebooks are commonly deployed in cloud environments, with providers such as Google and AWS offering them as managed services.”

Jupyter Notebook is a web-based interactive computing platform that supports over 40 programming languages and is used for data visualization, machine learning, data transformations, numerical simulations, statistical modeling, and managing various other computational outputs. It is an open-source application that can be deployed on servers and has been used as an entry-point for other cloud-based attack campaigns over the past year because it exposes powerful features including command execution.

Cado observed the Qubitstrike attackers connecting to their purposely unprotected Jupyter Notebook honeypot and leveraging the terminal access feature to open a Bash command line interface and manually executing a series of reconnaissance commands to determine the system’s CPU information, the currently logged in user, whether root access was available via the su command and if the curl tool was installed.

This first stage culminates with the execution of a base64-encoded command that uses curl to download a Bash script called mi.sh from an account on codeberg.org, a Git hosting platform that’s similar to GitHub. The script is saved to a temporary folder, then executed and eventually removed.

Qubitstrike malware set up for persistence

The mi.sh script sets up the system for deployment of additional tools, specifically a version of the XMRig cryptocurrency mining program. First, the script renames the curl and wget utilities in the system to avoid triggering system detections by using them. It also scans running processes for the presence of competing cryptominers and kills them, and it kills connections to a hard-coded list of IP addresses associated with cryptomining operations.