A group of hackers is actively targeting internet-exposed Jupyter Notebooks, using these as an entry point to breach servers and deploy a combination of malware, including a Linux rootkit, cryptocurrency miners, and password-stealing scripts.
In their campaign called ‘Qubitstrike,’ the threat actors aim to take control of Linux servers for cryptomining and steal credentials for cloud services like AWS and Google Cloud. The Qubitstrike malware payloads are hosted on codeberg.org, marking the first instance of this platform being exploited for malware distribution.
The Qubitstrike attacks begin with a manual scan to find exposed Jupyter Notebooks, followed by CPU identification to assess their potential for cryptomining. The attackers then search for credential files, download, and execute a script (‘mi.sh’) to facilitate various malicious activities on compromised Linux servers.
These activities include downloading and running an XMRig miner disguised as “python-dev,” setting up cron jobs for persistence, inserting an attacker-controlled SSH key for root access, and installing the ‘Diamorphine’ rootkit to hide specific processes from monitoring tools. The attackers also engage in credential theft and data exfiltration through the use of Telegram Bot API.
To cover their tracks, the attackers rename data transfer utilities and wipe log files containing evidence of the breach. Moreover, the Qubitstrike campaign utilizes Discord for command and control operations (C2), with a script named ‘kdfs.py’ that runs as a standalone executable, communicating with a hard-coded Discord channel to send host information and await further commands. These sophisticated tactics underscore the evolving threat landscape and the need for robust cybersecurity measures to protect against such multi-pronged attacks.
