Step-by-step: How Hacker Group 'LabRat' Works to abuse your computer to mine crypto and rent it to others

A recently detected crime operation named "LabRat" driven by financial motives is attacking computers to deploy malware. The LabRat campaign is interesting because it makes massive efforts to remain hidden and undetected by antivirus, firewalls and regular checks, which gives them a long linger time and profit from an individual victim.

It's also an excellent example of how people who think that "they are not important enough to be hacked" are still an excellent source of profit for criminals.

Why?

The motives of the crime operation are purely financial, and they aim to make profit from cryptojacking and proxyjacking:

• Cryptojacking is a form of cybercrime where criminals exploit people's devices, including computers, smartphones, and servers, to mine cryptocurrency without their knowledge. Crypto mining involves solving complex mathematical problems which require a lot of processing power and energy. Cybercriminals employ various methods to secretly insert crypto mining software onto a victim's device and abuse their CPU power and electricity to profit from the mined cryptocurrency. The victims experience slower performance of their computers and incur the costs of electricity usage.
• Proxyjacking is a form of cybercrime where criminals offer the victim device as a resource to a legitimate peer-to-peer (P2P) profit sharing network. There are legal peer profit sharing companies that offer data collection or advertising to their customers. In order to deliver the services these peer profit sharing companies offer users to become part of their network, install a program on their computer which will connect to the peer network and run some tasks. The user gets a small percentage of the profit for allowing their computer to run the tasks. But the user has a limited number of devices so they won't be able to earn a lot. Criminals install hidden control applications on the victim's computer, join it to the peer profit sharing network as their own and receive the profit of the processing and bandwidth abused from the victim. Given enough compromised computers, the profit from proxyjacking can be significant, while the victim pays for the bandwidth, CPU power and has a slower computer.

How?

Find vulnerable system, execute remote code to gain access

The method of attack of the LabRat campaign starts with looking for vulnerable systems that will enable them to execute malicious code.

A common target of LabRat is a vulnerability known as CVE-2021-22205, which pertains to GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.9 to 13.10.3, 13.9.6, and 13.8.8. This vulnerability, rectified in April 2021, is classified as critical with a Common Vulnerability Scoring System (CVSS) score of 10.

Exploiting this vulnerability grants the attackers the ability to execute remote code without authentication. As part of their LabRat campaign, the attackers exploited this flaw to implant a script that accomplished several objectives:

• ensuring persistence within the compromised system,
• terminating specific processes to evade security measures,
• fetching supplementary binary files,
• enabling lateral movement by exfiltrating SSH keys.

Download second stage exploits from a varying source

Once the attackers gain a foothold on the system, they need to download their second stage explots or code. But getting it from a fixed source guarantees that the source will be blocked by firewalls and network infrastructure in a matter of days, if not hours. To obscure their digital infrastructure, the attackers capitalized on subdomains facilitated by Cloudflare's TryCloudflare service. This involved acquiring and installing Cloudflared, followed by executing a particular command.

Using TryCloudflare, the attackers directed connections towards a server protected by passwords, which hosted the hacker code. For each execution of this script, they generated a fresh subdomain which makes tracking difficult.

Another approach used was to compromise a legitimate web page of a third party to host the code, which is trusted by the defence systems of the victim and provides a longer period of availability of the hacker code.

Make the second stage exploits difficult to detect by building fresh versions

The attackers pulled second stage exploit and peer-to-peer files from a private repository on GitLab. This repository stored diverse binary files, some of which had been recently compiled and slightly different than previous known versions so they escape detection by antivirus systems for a longer time.

Make the ongoing communication to the hackers and the Peer-to-peer network invisible

The LabRat operators employed an open-source tool called Global Socket (GSocket). This tool provides capabilities to connect to a custom proxy network, has advanced traffic encryption capabilities, and provides connectivity via the Tor network. These features allowed the attackers to maintain persistent access to compromised systems with the network systems not being able to decrypt the traffic to malicious systems.

Can we do something about this type of attack

The LabRat campaign is very well though out and systematic. But there are clear mechanisms that you can use to make the life of hackers a lot more difficult. All it takes is a little bit of tedious work and basic security hygiene:

• Diligently patch systems, especially systems that are exposed to the internet
• Use MFA for all user and especially Admin accounts, so a compromised password doesn't equate a compromised user
• Block outbound traffic from servers except for whitelisted destinations.
• Use up-to-date antimalware on all systems (although not immediately, eventually they do detect the malware and it's faster than a human)
• Maintain frequent phishing awareness program tests and continuous education, since a vector of attack is always an email and a gullible user.