Trend Micro Incorporated : Groups Target Alibaba ECS Instances for Cryptojacking

It's been known that threat actors are actively exploiting misconfigured Linux-powered servers, regardless of whether they run on-premises or in the cloud. The compromised devices are mostly used for cryptojacking purposes with the dominance of mining for the digital currency Monero. One notorious example is TeamTNT, one of the first hacking groups shifting its focus to cloud-oriented services.

The cryptojacking battlefield is shared by multiple threat actors such as Kinsing and TeamTNT, among others. Two common characteristics that they share in their code is to remove competing actors who are also mining for cryptocurrency and disable security features found in the victim machine. This provides them an advantage over the hijacked resources, such as the example of an advanced system sanitation that we identified targeting Huawei Cloud.

In this article, we focus on one common functionality that we found among multiple payloads: the disabling of features inside the Alibaba cloud service provider (CSP). We also look at possible reasons that multiple threat actors and malware routines focused on Alibaba Cloud (also known as Aliyun) and the implications of these illicit mining activities on Alibaba Cloud users.

We have reached out to the Alibaba Cloud Team through their listed contact information prior to the publication of this blog, and we are waiting for their response with regard to this concern.

Looking into Alibaba ECS

Alibaba Elastic Computing Service (ECS) instances come with a preinstalled security agent. As a result, the threat actors try to uninstall it upon compromise. This is no surprise as we have seen similar payloads in the past. However, this time we found a specific code in the malware creating firewall rules to drop incoming packets from IP ranges belonging to internal Alibaba zones and regions.