During our daily threat hunting activities in our 4000+ customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.
Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?
To learn more about Project Ice Cream, read the series’ introductory blog here.
The next Project Ice Cream flavor is the Strawberry threat activity cluster. Before diving into this activity cluster, be sure to read the series introduction here.
Tactics, Techniques and Procedures
Strawberry has been seen to favor two primary exploits for gaining entry onto a vulnerable machine. We have observed the flavor exploiting the Apache Solr remote code execution (RCE) vulnerability (CVE-2019-17558) and a Confluence OGNL exploit (CVE-2021-26084).
Strawberry was late to the game – or did not initially target Alert Logic customers with the 2019 Apache Solr RCE – as we did not observe the flavor during our initial threat hunts as part of our emerging threat process. They still saw some success with the vulnerability, maybe because Apache themselves were slow to release a fix, or more likely, a product of the sad truth that many organizations are not able to patch their vulnerable systems quickly or frequently enough.
In 2021, it was a different story. The flavor was on our radar from the start, as they mounted a campaign targeting vulnerable confluence servers as the vulnerability was emerging, and subsequently, the group had more success in exploiting machines before mitigations could be put in place. Fortunately, Alert Logic’s threat intelligence team had earmarked java OGNL as an inherently vulnerable language, where we anticipated future zero-day vulnerabilities or derivatives to be discovered. This foresight meant we already had forward-thinking wideband telemetry signatures in place that our threat hunters reviewed periodically. This, in turn, meant we had early warning of this new exploit and could detect and facilitate earlier responses for affected customers.
Both RCE exploits enabled Strawberry to instruct the victim machine to reach out and download malicious files and scripts to begin the installation phase. The malicious files that were pulled to infected hosts during installation were hosted on pastebin[.]com, which is a website that allows users to share plain text files through public posts called ‘pastes.’ The very popular site, with 17 million monthly users, commonly are looking to share legitimate code. Pastebin often is abused by threat actors as it is a free resource where you can easily and anonymously host code, making it a simple location to house malicious code.
Of course, as a legitimate website, Pastebin is frequently taking down pastes that do not adhere to its code of conduct. Therefore, the Strawberry group was forced to use a variety of files.
Once the dropper is pulled from Pastebin, double persistence is established by creating a new service (typically named javae[.]service) and setting up a new cron job (Linux equivalent of scheduled task).
Strawberry proceeds to pull down crypto miner related files, hijacking the victim’s resources to create a steady monetary output for the flavor … if undetected.
Interestingly, the mining configurations differ between each victim, although the method of setup remains consistent. The working hypothesis is that Strawberry is more concerned with their financial outcomes being attributed to malicious activity than they are with their malicious activities being identified.
They have demonstrated the ability to change the superficial, simpler indicators of campaigns, such as attacker infrastructure, but not the areas that are more sophisticated, like the tactics, techniques, and procedures (TTPs) used once they gain initial access.
Flavor Infrastructure
Generally, Strawberry makes use of public cloud infrastructure, namely AWS and the South Korean AWS region, during the recon to exploit phases. By using public cloud infrastructure, Strawberry can quickly generate and burn machines and IP addresses to circumvent any blocklists they may have added to during active reconnaissance. In the latter stages, they move away from AWS but still use IPs consistent with South Korea with a rouge Google address being the exception.
It is important to emphasize that the geographical location of the infrastructure used by the attacker does not amount to attribution. While this information is helpful in identifying the flavor’s actions, the Korean infrastructure preference does not equate to Korean actors.
The Pastebin file and the crypto miner configuration variations observed present the greatest variations seen in Strawberry’s actions. Otherwise, Strawberry’s modus operandi has limited variations when compared to other documented flavors.
Reflections
A good comparison can be made with Mint, which also seeks vulnerable Linux servers, indiscriminate of sector or organization. However, Mint regularly revisits their tactics, making changes to naming conventions and subtle, superficial changes to code in an attempt to evade detection and prevention controls. In contrast, our threat hunters view Strawberry as a fairly basic flavor with more static indicators.
Our readers may have noticed other similarities between Mint and Strawberry, including similarities in the kill chain sequence leading to the same outcome, crypto mining. At a glance, it’s fair to believe these flavors could be combined and classified together; however, the subtleties in how we detect a Mint versus Strawberry are significant, such as the combinations of differences found in both infrastructure and capabilities. Ultimately, the threat activity clusters are distinct making it very likely they are not the same actor/group.
By separating the two flavors, we are better equipped to identify compromise earlier, know exactly what/where to look next, and ultimately provide a comprehensive and thorough remediation plan for our customers. The documented intelligence of the Strawberry threat activity cluster allows us to holistically respond to a compromise by extrapolating likely next steps from our established understanding.
Known Exploits Used
- CVE-2021-26084 [exp]
- CVE-2019-17558 [exp]
TTPs
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- /docs/*./solr.sh
- /docs/s/config.json
- /docs/
- Javae[.]service
- Scheduled Task/Job: Cron – T1053.003 [inst persistence]
- Service creation [inst persistence] – Create or Modify System Process – T1543
- Ingress Tool Transfer – T1105 [inst / C2]
- Application Layer Protocol – T1071 [C2]
- XMRIG Crypto mining [AoO]
- Resource hijacking – T1496 [AoO]
Targets
- Vulnerable Linux Servers
Actor/Flavor Infrastructure
- AWS – South Korean region [recon, deliv, exp]
- pastebin[.]com [inst]
- South Korean IPs (not attribution)
- Google LLC [inst]
- geo[.]c3pool[.]com [AoO]
- mine[.]c3pool[.]com [AoO]
- Ioflood [AoO]
- Hetzner Online GmbH [AoO]
- OVH SAS [AoO]
- EONIX-COMMUNICATIONS-ASBLOCK-62904 [AoO]
- pool[.]supportxmr[.]com [AoO]
Actions on Objectives
- Crypto mining (XMRIG)
Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Strawberry by scheduling a personalized MDR demo.
Additional Resources
Explore Alert Logic’s Project Ice Cream threat activity clusters blog series: