Home Security Crypto Miners Utilizing Tox P2P Messenger as Command and Management Server

Crypto Miners Utilizing Tox P2P Messenger as Command and Management Server

by crpt os


Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations.

The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (“72client”) that functions as a bot and can run scripts on the compromised host using the Tox protocol.

Tox is a serverless protocol for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library (NaCl, pronounced “salt”) for encryption and authentication.

CyberSecurity

“The binary found in the wild is a stripped but dynamic executable, making decompilation easier,” researchers Siddharth Sharma and Nischay Hedge said. “The entire binary appears to be written in C, and has only statically linked the c-toxcore library.”

It’s worth noting that c-toxcore is a reference implementation of the Tox protocol.

Tox P2P Messenger

The reverse engineering undertaken by Uptycs shows that the ELF file is designed to write a shell script to the location “/var/tmp/” – a directory used for temporary file creation in Linux – and launch it, enabling it to run commands to kill cryptominer related processes.

Also executed is a second routine that allows it to run a number of specific commands (e.g., nproc, whoami, machine-id, etc.) on the system, the results of which are subsequently sent over UDP to a Tox recipient.

CyberSecurity

Additionally, the binary comes with capabilities to receive different commands through Tox, based on which the shell script is updated or gets executed on an ad-hoc basis. An “exit” command issued quits the Tox connection.

Tox has been historically used by ransomware actors as a communication mechanism, but the latest development marks the first time the protocol is being used to run arbitrary scripts on an infected machine.

“While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign,” the researchers said. “Therefore, it becomes important to monitor the network components involved in the attack chains.”

The disclosure also arrives amid reports that the decentralized file system solution known as IPFS is being increasingly used for hosting phishing sites in an effort to make takedowns more difficult.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex