Cryptomining group traced to Indonesia uses compromised AWS accounts

A financially motivated cyberthreat group is attacking organizations’ Amazon Web Services (AWS) accounts to set up illicit cryptomining operations, researchers say.

Analysts at cloud security company Permiso traced the activity to IP addresses associated with Indonesian internet service providers, but the report doesn’t speculate on who the attackers are.

They “are engaged attackers at the keyboard, ready to adapt to whatever situation they are in,” write Permiso’s Ian Ahl and Daniel Bohannon, who both previously worked for cybersecurity giant Mandiant.

“They fight hard to maintain access in an environment when defenders find them. They don’t just tuck their tail and leave,” the researchers say. Permiso says it has been tracking the group for about 18 months.

Permiso is calling the group GUI-vil (pronounced Goo-ee-vil) because of its penchant for using graphical user interfaces (GUIs), specifically an older version of S3 Browser, a tool for accessing AWS accounts.

The attackers begin by finding publicly exposed AWS access credentials or hacking into services like GitLab to collect them, the report says.

“GUI-vil, unlike many groups focused on crypto mining, apply a personal touch when establishing a foothold in an environment,” Ahl and Bohannon write. “They attempt to masquerade as legitimate users by creating usernames that match the victim’s naming standard, or in some cases taking over existing users by creating login profiles for a user where none existed.”

The ultimate goal of the hackers is to quietly set up cryptomining software — also known as cryptojacking — on instances of Elastic Compute Cloud (EC2), which allows users to rent computing resources.

“GUI-vil is an equal opportunity attacker,” the researchers say. “Rather than targeting specific organizations, they are opportunistic and will attempt to attack any organization for which they can discover compromised credentials.”

Financially motivated hackers continue to find creative avenues to mine cryptocurrency on hijacked computers. A report in March cited a compromised version of the video editing software Final Cut Pro. Attackers also have abused other aspects of Amazon Web Services technology for cryptomining.

Despite falling digital asset prices, cryptojacking reached record levels in 2022, according to research from cybersecurity firm SonicWall.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.