ioc[.]one - OSINT Cyber Threat Intelligence Database

Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks - Cado Security | Cloud Forensics & Incident Response

Tags

cmtmf-attack-pattern:	Resource Hijacking
country:	Tunisia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Cloud Services - T1021.007 Credentials - T1589.001 Cron - T1053.003 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Resource Hijacking - T1496 Server - T1583.004 Server - T1584.004 Serverless - T1583.007 Serverless - T1584.007 Ssh - T1021.004 Connection Proxy - T1090 Rootkit - T1014 Sudo - T1169 Rootkit

Show in Graph

Common Information

Type	Value
UUID	7895b46c-74de-488b-ae4e-5014ad115f14
Fingerprint	b421c85b2cafac80
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 18, 2023, 10 a.m.
Added to db	Oct. 22, 2023, 10:39 p.m.
Last updated	Nov. 17, 2024, 10:43 p.m.
Headline	Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks
Title	Qubitstrike - An Emerging Malware Campaign Targeting Jupyter Notebooks - Cado Security \| Cloud Forensics & Incident Response
Detected Hints/Tags/Attributes	104/4/69

Source URLs

	Redirection	Url
Details	Source	https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/

URL Provider

Details	Provider	Source level domain
Details	cadosecurity.com	www.cadosecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	281	✔	—	https://www.cadosecurity.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	6	codeberg.org
Details	Domain	4	mi.sh
Details	Domain	16	gitee.com
Details	Domain	1	z3.sh
Details	Domain	2	mr.sh
Details	Domain	1	mine.sh
Details	Domain	1	2mr.sh
Details	Domain	1	cr5.sh
Details	Domain	1	he.sh
Details	Domain	4	miner.sh
Details	Domain	4	mine.moneropool.com
Details	Domain	2	pool.t00ls.ru
Details	Domain	6	xmr.crypto-pool.fr
Details	Domain	8	monerohash.com
Details	Domain	1	stratum.f2pool.com
Details	Domain	6	xmrpool.eu
Details	Domain	1	pro.sh
Details	Domain	145	api.telegram.org
Details	Domain	117	ld.so
Details	Domain	1	libnetresolv.so
Details	Domain	2	kdfs.py
Details	Domain	4	discord.py
Details	Domain	3	killer.sh
Details	Domain	12	pool.hashvault.pro
Details	File	1	iptables.log
Details	File	115	auth.log
Details	File	4	cron.log
Details	File	1	xm.tar
Details	File	42	request.url
Details	File	153	config.json
Details	File	9	access_tokens.db
Details	File	10	credentials.db
Details	File	5	censys.cfg
Details	File	10	filezilla.xml
Details	File	34	recentservers.xml
Details	File	5	queue.sql
Details	File	25	accounts.xml
Details	File	6	azure.json
Details	File	49	id_rsa.pub
Details	File	1	hf.tar
Details	File	2	kdfs.py
Details	File	4	discord.py
Details	File	2	xm64.tar
Details	sha256	1	420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Details	sha256	2	9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd
Details	sha256	2	bd23597dbef85ba141da3a7f241c2187aa98420cc8b47a7d51a921058323d327
Details	sha256	2	96de9c6bcb75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7
Details	sha256	3	20a0864cb7dac55c184bd86e45a6e0acbd4bb19aa29840b824d369de710b6152
Details	sha256	2	ae65e7c5f4ff9d56e882d2bbda98997541d774cefb24e381010c09340058d45f
Details	sha256	2	a34a36ec6b7b209aaa2092cc28bc65917e310b3181e98ab54d440565871168cb
Details	IPv4	1	107.174.47.156
Details	IPv4	1	83.220.169.247
Details	IPv4	1	51.38.203.146
Details	IPv4	1	144.217.45.45
Details	IPv4	1	107.174.47.181
Details	IPv4	1	176.31.6.16
Details	IPv4	1441	127.0.0.1
Details	IPv4	1	46.243.253.15
Details	IPv4	1	108.174.197.76
Details	IPv4	1	192.236.161.6
Details	IPv4	2	88.99.242.92
Details	MITRE ATT&CK Techniques	107	T1496
Details	Url	1	https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh
Details	Url	1	https://api.telegram.org/bot6245402530
Details	Url	1	https://codeberg.org/m4rt1/sh/raw/branch/main/kdfs.py
Details	Url	2	https://codeberg.org/m4rt1/sh/raw/branch/main/xm64.tar.gz
Details	Url	2	https://codeberg.org/m4rt1/sh/raw/branch/main/killer.sh
Details	Url	2	https://codeberg.org/m4rt1/sh/raw/branch/main/kill_loop.sh
Details	Yara rule	1	rule Miner_Linux_Qubitstrike { meta: description = "Detects Qubitstrike primary payload (mi.sh)" author = " [email protected] " date = "2023-10-10" attack = "T1496" license = "Apache License 2.0" hash1 = "9a5f6318a395600637bd98e83d2aea787353207ed7792ec9911b775b79443dcd" strings: $const1 = "miner_url=" $const2 = "miner_name=" $const3 = "killer_url=" $const4 = "kill_url2=" $creds = "\"credentials\" \"cloud\" \".s3cfg\" \".passwd-s3fs\" \"authinfo2\" \".s3backer_passwd\" \".s3b_config\" \"s3proxy.conf\"" $log1 = "Begin disable security" $log2 = "Begin proccess kill" $log3 = "setup hugepages" $log4 = "SSH setup" $log5 = "Get Data && sent stats" $diam1 = "H4sIAAAAAAAAA+0ba3PbNjJfxV+BKq2HVGRbshW1jerMuLLi6PyQR7bb3ORyGJqEJJ4oksOHE7f1" $diam2 = "I2RlZmluZSBfR05VX1NPVVJDRQoKI2luY2x1ZGUgPHN0ZGlvLmg" $wallet = "49qQh9VMzdJTP1XA2yPDSx1QbYkDFupydE5AJAA3jQKTh3xUYVyutg28k2PtZGx8z3P2SS7VWKMQUb9Q4WjZ3jdmHPjoJRo" condition: 3 of ($const) and $creds and 3 of ($log) and all of ($diam*) and $wallet }