GUI-vil’s Strategies in AWS Compromises

Researchers have been tracking a financially motivated threat group known as GUI-vil (aka p0-LUCR-1), based in Indonesia, which engages in unauthorized cryptocurrency mining.

GUI-vil’s

GUI-vil is a financially motivated threat group sourcing from Indonesia whose primary objective is performingunauthorized cryptocurrency mining activities. Leveraging compromised credentials, the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations. Permiso first observed this threat actor in November of 2021, and most recently observed their activity in April of 2023.

After gaining access to AWS Management Console, the group carries out its activities directly via the web browser. Permiso researchers, who track the threat actor, highlight that GUI-vil attackers do not rely on automation unlike other cloud attackers, and are active at the keyboard. The attacker’s source IP addresses are associated with the following Indonesian Autonomous System Numbers (ASNs): PT Telekomunikasi Selula and PT Telekomunikasi Indonesia.

They attempt to masquerade as legitimate users by creating usernames that match the victim’s naming standard, or in some cases taking over existing users by creating login profiles for a user where none existed (takeover activity appearing as iam:GetLoginProfile failure followed by successful iam:CreateLoginProfile).

The ultimate goal of the hackers is to quietly set up cryptomining software — also known as cryptojacking — on instances of Elastic Compute Cloud (EC2), which allows users to rent computing resources.

“GUI-vil is an equal opportunity attacker,” the researchers say. “Rather than targeting specific organizations, they are opportunistic and will attempt to attack any organization for which they can discover compromised credentials.”

IOCS

Follow Us on: Twitter, Instagram, Facebook to get the latest security news!