Known SSH-Snake bites more victims with multiple OSS exploitation

CRYSTALRAY, a threat actor known to have used Secure Shell (SSH) based malware to gain access into victim systems in the past, has scaled operations to over 1,500 victims using multiple open source software (OSS) tools, according to a Sysdig study.

After gaining access, the threat actor installs backdoors to maintain control and uses SSH-Snake to spread across networks and gather credentials for sale.

“The Sysdig Threat Research Team’s (TRT) latest observations show that CRYSTALRAY’s operations have scaled 10x to over 1,500 victims and now include mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple OSS security tools,” Sysdig said in a blog post.

Additionally, the threat actor deploys cryptominers to profit from compromised systems, the cloud security intelligence and solutions provider added.

Exploiting multiple OSS tools and PoCs

CRYSTALRAY leverages existing vulnerability proof of concepts (PoCs) and uses OSS penetration testing tools to scan a list of targets against these vulnerabilities. Once detected, they modify the existing PoCs for their payload and drop them onto victims’ systems for initial access.

“CRYSTALRAY’s motivations are to collect and sell credentials, deploy cryptominers, and maintain persistence in victim environments,” Sysdig added. “Some of the OSS tools the threat actor is leveraging include zmap, asn, httpx, nuclei, platypus, and SSH-Snake.”

CRYSTALRAY uses the legitimate OSS organization, ProjectDiscovery’s package manager called pdtm to access their many open-source tools. For instance, they use the ASN OSINT command line tool for quickly scanning network data and determining an IP range. Once an IP range is defined, the threat actor uses zmap to scan specific ports for vulnerable services.

Nuclei is then used to perform a vulnerability scan which enlists the common vulnerabilities and exposures (CVEs) the target host is affected by. “Observed CVEs used by this attacker included CVE-2022-44877, CVE-2021-3129 and CVE-2019-18394,” Sysdig added.

Credential stealing and crypto mining

Besides moving between servers accessible via SSH and maintaining persistence, the threat actor was also found moving to other platforms, i.e cloud service providers, to extract credentials in environment variables.

“CRYSTALRAY is able to discover and extract credentials from vulnerable systems, which are then sold on black markets for thousands of dollars,” Sysdig said. “The credentials being sold involve a multitude of services, including Cloud Service Providers and SaaS email providers.”

Apart from credential theft, the threat actor attempts to maximize benefits by putting the victim’s compromised resources to further use. For financial gain, CRYSTALRAY was found using two crypto miners, one older and easily detectable and another sophisticated with the pool — the group of victim computing resources— on the same C2 server.

Proper vulnerability, identity, and secrets management along with an efficient detection and prevention tool can help protect against CRYSTALRAY attacks, the blog emphasized. Sysdig also added a list of indicators of compromises (IoCs) in the blog for reference.

Threat actors using legitimate penetration testing tools has gained momentum in recent times, with the most used tool of the sort being CobaltStrike. Earlier this month, a joint law enforcement operation Morpheus led by Europol disrupted 600 criminally used servers of Fortra’s red teaming tool.