The script also deletes various system logs and will set up persistence on the system by registering several cron jobs and adding the attacker’s SSH key to the system. More importantly, it downloads and deploys a rootkit called Diamorphine. This rootkit operates as a kernel module that’s loaded with the insmod command and its purpose is to hide the attacker’s processes on the system.
If the insmod command fails, the attackers compile Diamorphine from source as a Linux Shared Object file and then use the LD Preload technique to register it with the dynamic linker, resulting in the malicious file executing every time a new executable is launched on the system.
“Diamorphine is well-known in Linux malware circles, with the rootkit being observed in campaigns from TeamTNT and, more recently, Kiss-a-dog,” the Cado researchers said. “Compiling the malware on delivery is common and is used to evade EDRs and other detection mechanisms.”
Finally, the mi.sh script searches the local directories for AWS and Google Cloud access tokens and exfiltrates any that are found to a Telegram group. The Cado researchers intentionally placed an AWS token on their honeypot system and immediately saw an attempt to use it to access the associated AWS account. Qubitstrike also acts like a SSH work, with the script trying to connect to all the IP addresses listed in the SSH hosts file on the system and attempting to push mi.sh to them.
More implants found in Codeberg repository
By investigating the Codeberg repository that hosted the mi.sh script, the researchers uncovered additional scripts and payloads including an implant written in Python and called kdfs.py. Once executed on a system, this implant will act as a bot that will join a Discord server and channel and wait for commands. It also supports downloading and uploading files through the Discord attachment feature.
“The name of the server used is ‘NETShadow,’ and the channel the bot posts to is ‘victims’,” the researchers said. “The server also had another channel titled ‘ssh.’ However, it was empty. All of the channels were made at the exact same time on September 2, 2023, suggesting that the creation process was automated. The bot’s username is Qubitstrike (hence the name we chose to give to the malware).”