Exeremo (Trojan) – Malware

Overview

Exeremo is an advanced piece of malware that represents a significant evolution in the landscape of cyber threats, particularly in its role within the cryptojacking campaigns like Spinning YARN. This sophisticated tool, identified during recent investigations, has been observed facilitating lateral movement across compromised networks. Its primary function is to propagate malware by exploiting SSH connections, making it a critical component in the attackers’ toolkit for expanding their reach within targeted environments.

The malware’s design emphasizes stealth and persistence. Exeremo operates by leveraging SSH credentials to traverse through systems once it has gained an initial foothold. This capability allows it to effectively spread within an infected network, often bypassing traditional security measures that might focus primarily on perimeter defenses. By exploiting SSH, Exeremo can rapidly infect additional machines, enhancing the attackers’ ability to deploy and execute other malicious payloads.

What sets Exeremo apart from other malware tools is its modular architecture and its integration into a broader cryptojacking scheme. Its novel approach to lateral movement is indicative of the attackers’ evolving strategies to maximize their control over compromised systems.

Targets

Corporate Networks: Large enterprises with extensive networks and multiple connected systems are prime targets. Exeremo can exploit weaknesses in SSH configurations or credential management to infiltrate these networks and spread internally.

Data Centers: Organizations operating data centers are also targeted due to the high concentration of valuable data and critical infrastructure within these facilities. Exeremo can leverage SSH access to compromise multiple systems and deploy additional payloads.

Cloud Environments: With the rise of cloud computing, Exeremo is designed to exploit vulnerabilities in cloud infrastructure, particularly those involving misconfigured or insecure SSH access. This includes cloud-based virtual machines and containerized environments.

How they operate

Initial Access and Exploitation

Exeremo typically gains initial access by exploiting vulnerabilities in public-facing applications, particularly those handling SSH connections. Attackers may leverage unpatched software or misconfigured settings to breach systems. Once inside, Exeremo deploys a payload designed to exploit system weaknesses further. This payload often uses command-line interfaces or scripts, allowing the malware to execute commands and establish a foothold on the target machine.

Persistence and Privilege Escalation

After initial access, Exeremo focuses on maintaining persistence within the compromised environment. It achieves this by creating or modifying system processes that ensure its survival across reboots and system updates. To solidify its control, the malware may escalate its privileges by exploiting known vulnerabilities or misconfigurations. This privilege escalation is crucial for accessing sensitive system resources and expanding its reach.

Defense Evasion and Credential Access

Exeremo employs advanced techniques to evade detection and analysis. The malware often uses obfuscation to hide its presence, making it challenging for security tools to identify and neutralize. Additionally, Exeremo targets and harvests credentials from compromised systems. By extracting credentials, the malware can gain further access to network resources and potentially escalate its attacks.

Discovery and Lateral Movement

With a foothold established, Exeremo undertakes network discovery to identify other vulnerable systems and services. The malware scans the network, seeking opportunities to move laterally and expand its control. Utilizing remote services like SSH, Exeremo can traverse the network, compromising additional systems and amplifying its impact.

Data Collection and Exfiltration

As Exeremo spreads, it begins to collect and stage valuable data from compromised systems. This staged data is prepared for exfiltration, often transmitted over existing command and control channels to evade detection. The malware’s ability to exfiltrate data covertly underscores its effectiveness in maintaining a low profile while executing its objectives.

Impact and Disruption

In some instances, Exeremo may escalate its activities to disrupt operations. The malware can encrypt files or data on compromised systems, rendering them inaccessible and demanding a ransom for decryption. This tactic not only disrupts the victim’s operations but also adds a layer of intimidation to the attack.

MITRE Tactics and Techniques

Initial Access:

Exploit Public-Facing Application (T1190): Exeremo may initially gain access by exploiting vulnerabilities in publicly accessible applications, especially those that handle SSH connections.

Execution:

Command and Scripting Interpreter (T1059): Once inside, Exeremo uses command-line interfaces and scripts to execute its payloads and commands on the compromised system.

Persistence:

Create or Modify System Process (T1543): To maintain a foothold, Exeremo may create or modify system processes that ensure its persistence across reboots and system changes.

Privilege Escalation:

Exploitation for Privilege Escalation (T1068): Exeremo might exploit vulnerabilities or misconfigurations to escalate its privileges within the compromised environment.

Defense Evasion:

Obfuscated Files or Information (T1027): Exeremo often uses obfuscation techniques to evade detection by hiding its presence and activities from security tools.

Credential Access:

Credential Dumping (T1003): The malware may attempt to harvest credentials from compromised systems to further infiltrate and spread within the network.

Discovery:

Network Service Scanning (T1046): Exeremo scans the network to identify other services and systems that can be further exploited or compromised.

Lateral Movement:

Remote Services (T1021): Using SSH and other remote services, Exeremo can move laterally across systems within the network.

Collection:

Data Staged (T1074): It might stage collected data from compromised systems in preparation for exfiltration or further exploitation.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): Exeremo may use its existing command and control channels to exfiltrate data from compromised systems.

Impact:

Data Encrypted for Impact (T1486): In some cases, Exeremo might encrypt files or data to disrupt operations and demand ransom.

References

• Attackers deploying new tactics in campaign targeting exposed Docker APIs