Crypto Miners Using Tox P2P Messenger as Command and Control Server

Threat actors have begun to use the Tox peer-to-peer instant
messaging service as a command-and-control method, marking a shift
from its earlier role as a contact method for ransomware
negotiations.

The findings from Uptycs, which analyzed an Executable and
Linkable Format (ELF) artifact (“72client ^[1]“) that functions as a
bot and can run scripts on the compromised host using the Tox
protocol.

Tox is a serverless
protocol ^[2] for online
communications that offers end-to-end encryption (E2EE) protections
by making use of the Networking and Cryptography library (NaCl ^[3], pronounced “salt”) for
encryption and authentication.

“The binary found in the wild is a stripped but dynamic
executable, making decompilation easier,” researchers Siddharth
Sharma and Nischay Hedge said ^[4]. “The entire binary
appears to be written in C, and has only statically linked ^[5]
the c-toxcore library.”

It’s worth noting that c-toxcore is a reference
implementation ^[6]
of the Tox protocol.

The reverse engineering undertaken by Uptycs shows that the ELF
file is designed to write a shell script to the location “/var/tmp/^[7]” – a directory used for
temporary file creation in Linux – and launch it, enabling it to
run commands to kill cryptominer related processes.

Also executed is a second routine that allows it to run a number
of specific commands (e.g., nproc ^[8], whoami ^[9], machine-id ^[10], etc.) on the system,
the results of which are subsequently sent over UDP to a Tox
recipient.

Additionally, the binary comes with capabilities to receive
different commands through Tox, based on which the shell script is
updated or gets executed on an ad-hoc basis. An “exit” command
issued quits the Tox connection.

Tox has been historically used by ransomware actors as a
communication mechanism, but the latest development marks the first
time the protocol is being used to run arbitrary scripts on an
infected machine.

“While the discussed sample does not do anything explicitly
malicious, we feel that it might be a component of a coinminer
campaign,” the researchers said. “Therefore, it becomes important
to monitor the network components involved in the attack
chains.”

The disclosure also arrives amid reports that the decentralized
file system solution known as IPFS is being increasingly used ^[11] for hosting phishing
sites in an effort to make takedowns more difficult.

References

^{^}
72client
(www.virustotal.com)
^{^}
serverless protocol
(tox.chat)
^{^}
NaCl
(nacl.cr.yp.to)
^{^}
said
(www.uptycs.com)
^{^}
statically linked
(opensource.com)
^{^}
reference implementation
(github.com)
^{^}
/var/tmp/
(help.ubuntu.com)
^{^}
nproc
(man7.org)
^{^}
whoami
(man7.org)
^{^}
machine-id
(man7.org)
^{^}
increasingly used
(thehackernews.com)