Indonesian GUI-vil hackers use Amazon cloud services for illegal cryptocurrency mining

cloud company Permiso P0 Labs discovered a group of cybercriminals from Indonesia that uses Amazon Web Services (AWS) Elastic Compute Cloud (EC2) for illegal mining cryptocurrencies. Experts gave the group the code name GUI-vil.

Amazon Web Services (AWS) Elastic Compute Cloud (EC2) is a web service that provides scalable computing power in the AWS cloud environment. With Amazon EC2, you can run as many virtual servers as you need, set up security and network connectivity, and manage data storage. Amazon EC2 allows you to increase or decrease capacity based on changing requirements or peak usage.

“The group prefers to use graphical interfaces, in particular S3 Browser (version 9.5.5) for their initial operations. After gaining access to the AWS Console, they conduct their transactions directly through a web browser, ”the company said in a report.

The attack scheme of GUI-vil attackers is that they gain primary access using AWS keys hosted in open source code repositories on GitHub or by scanning vulnerable instances GitLaballowing you to execute remote code (for example, CVE-2021-22205 ).

After a successful infiltration, hackers escalate their privileges and conduct internal reconnaissance to determine the services that are available to them through the AWS Web Console.

A notable feature of grouping actions is their attempt to disguise themselves and persist in the victim’s environment by creating new users that match the naming scheme being used, which is not suspicious on a cursory check.

“GUI-vil also generates access keys for new users that they create in order to continue using S3 Browser with these new users,” the P0 Labs researchers explained.

GUI-vil’s association with Indonesia is based on the fact that the source IP addresses associated with their activities are from two autonomous systems located in Southeast Asia.

“The main mission of the financially motivated group is to create EC2 instances to facilitate cryptocurrency mining. In many cases, the profit they make from mining cryptocurrencies is only a fraction of the cost to victim organizations to run EC2 instances,” the researchers said.