Analysts at Cado Security Labs identified this attack through their honeypot systems, noting that the campaign represents a new vector for cryptomining attacks that hasn’t been previously reported, despite sharing similarities with earlier campaigns targeting Ivanti Connect Secure and Korean web servers. Despite its name, “java.exe” is actually a malicious binary packed with UPX that retrieves an encrypted blob called “x2.dat” from various repositories including Github, Launchpad, and Gitee. The attack leverages exposed instances of Jupyter Notebook, an interactive application widely used by data scientists containing a Python IDE, to deploy malicious code that installs cryptomining software on compromised systems. For Linux systems, the attack downloads a bash script “0217.js” that retrieves two ELF binaries and sets up cronjobs to ensure persistence. A novel cryptomining campaign has been identified that exploits misconfigured Jupyter Notebooks, targeting both Windows and Linux systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The “x2.dat” file is encrypted with ChaCha20 using the nonce “aQFabieiNxCjk6ygb1X61HpjGfSKq4zH” and the key “AZIzJi2WxU0G” before being compressed with zlib. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware targets cryptocurrencies including Monero, Sumokoin, ArQma, and several others, using wallet ID “44Q4cH4jHoAZgyHiYBTU9D7rLsdV82y4EvPRkjgdMQThPLJVB3ZbD9Sc1i84Q9eHYgb9Ze7A3syWV”. Organizations should implement strong authentication, disable public access to Jupyter instances, and regularly monitor cloud environments for unusual activity to mitigate these attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 15 Mar 2025 15:30:25 +0000