Pause (Trojan Horse) – Malware

Overview

The “Pause” malware represents a sophisticated evolution in cryptojacking techniques, illustrating the growing complexity of cyber threats targeting cloud environments. Emerging in early 2023, this malware primarily targets misconfigured Kubernetes clusters, exploiting vulnerabilities in cloud infrastructure to deploy hidden cryptocurrency miners. Unlike conventional cryptojacking methods, “Pause” distinguishes itself through its use of deceptive tactics, such as leveraging seemingly benign Docker images and names that obscure its malicious intent. This approach not only makes detection more challenging but also underscores the increasing sophistication of threat actors in their quest to evade security measures.

The core of the “Pause” malware is a variant of the DERO cryptocurrency miner, which has been engineered to operate with enhanced stealth. The malware’s executables are UPX-packed, which obfuscates their true nature, while hard-coded wallet addresses and mining pool URLs within the binary further obscure the malware’s operations. By embedding these details directly into the code, the threat actor minimizes the need for external configurations, thereby reducing the potential for detection through conventional monitoring techniques. This strategic adaptation highlights a significant shift in how cybercriminals approach cryptojacking, making it imperative for organizations to stay ahead of these evolving threats.

Targets

Cloud Service Providers: Companies that offer cloud infrastructure and services are often targeted due to their extensive resources and high-value infrastructure.

Technology Firms: Organizations in the technology sector that rely on cloud computing and containerized applications are vulnerable to Pause malware.

Financial Institutions: Banks and other financial entities, which often have significant computing resources, are also at risk.

Healthcare Organizations: Institutions with large volumes of data and sensitive information are targeted for their resources and potential access to valuable data.

How they operate

Initial Access and Execution

The malware’s journey typically begins with its initial access phase. Pause leverages a variety of methods to infiltrate cloud environments, particularly focusing on vulnerabilities within cloud-based container systems such as Kubernetes and Docker. Once it gains entry, Pause executes its payload through carefully crafted scripts designed to perform cryptojacking—an illicit activity where the malware harnesses the victim’s computing resources to mine cryptocurrency without consent. This phase of execution is crucial as it establishes the malware’s presence and initiates its primary malicious activity.

Persistence and Evasion Techniques

Following execution, Pause employs advanced persistence mechanisms to ensure its continued presence within the compromised environment. It achieves this by modifying system configurations and exploiting cloud services, thereby maintaining control over the affected systems. The malware’s persistence strategy is complemented by its robust defense evasion techniques. Pause obfuscates its code, encrypts payloads, and utilizes legitimate cloud services to mask its activities, making it challenging for conventional security measures to detect and mitigate its presence.

Privilege Escalation and Lateral Movement

Pause’s operational strategy includes privilege escalation, where the malware attempts to gain higher levels of access within the compromised environment. This elevated access enables Pause to expand its control and execute more complex operations. Once the malware has sufficient privileges, it engages in lateral movement across the network. This involves using stolen credentials or exploiting additional vulnerabilities to access other systems, thereby broadening its reach and impact.

Command and Control Infrastructure

Central to Pause’s operation is its command and control (C2) infrastructure. The malware uses this infrastructure to manage infected systems, issue commands, and communicate with its C2 servers. This allows attackers to maintain control over the malware and adapt their tactics as needed. The C2 component is vital for orchestrating the malware’s activities and ensuring its effectiveness in achieving the attackers’ objectives.

Exfiltration and Impact

In some cases, Pause may engage in data exfiltration, extracting sensitive information from the compromised systems to external servers controlled by the attackers. While cryptojacking remains the primary focus, the malware’s ability to exfiltrate data further amplifies its impact. The overall effect of Pause on the target environment includes disrupted operations and financial costs associated with resource exploitation and potential data breaches.

MITRE Tactics and Techniques

Initial Access (TA0001): Pause may use various methods to gain initial access to the target systems, such as exploiting vulnerabilities in cloud infrastructure like Kubernetes and Docker.

Execution (TA0002): Once access is gained, the malware executes its payload on the compromised systems. This could involve running scripts for cryptojacking or deploying additional tools for maintaining control.

Persistence (TA0003): Pause employs techniques to ensure its continued presence on the compromised systems. This might include modifying system configurations or exploiting cloud services to remain active.

Privilege Escalation (TA0004): The malware may attempt to escalate its privileges within the compromised environment, gaining higher levels of access to enhance its control and capabilities.

Defense Evasion (TA0005): To avoid detection, Pause uses various evasion techniques, such as obfuscating its code, encrypting payloads, and using legitimate cloud services to mask its activities.

Credential Access (TA0006): Pause likely employs tools or techniques to extract credentials from compromised systems, which can be used to further infiltrate the network or escalate its privileges.

Discovery (TA0007): The malware might conduct reconnaissance to understand the environment, identify valuable targets, and map out the network for effective lateral movement.

Lateral Movement (TA0008): Pause can move laterally within the compromised network, using stolen credentials or exploiting vulnerabilities to access other systems and expand its reach.

Collection (TA0009): The malware may gather information from the compromised systems, such as configuration details or sensitive data, to facilitate its operations or achieve its objectives.

Command and Control (TA0011): Pause uses C2 infrastructure to manage its activities, communicate with infected systems, and issue commands.

Exfiltration (TA0010): If necessary, Pause might exfiltrate data from the compromised environment to external servers controlled by the attackers.

Impact (TA0009): The malware impacts the target environment by performing actions like cryptojacking, which can disrupt operations and incur financial costs for the affected organizations.

References

• Pause off my cluster: DERO cryptojacking takes a new shape