Cybercriminals Competing for Cryptocurrency Mining Foothold

Posted by & filed under Security News.

The Pacha Group is a threat actor discovered by Intezer and profiled in a blog post published on February 28, 2019. Dating back to September 2018 the Pacha Group has deployed undetected crypto-mining malware to infiltrate Linux servers and mine cryptocurrency without user permissions.

One of the more notable observations discerned by Intezer researchers was the remarkably aggressive behavior exhibited by the Pacha Group’s crypto-mining malware, named Linux.GreedyAntd, which was using a large number of techniques to disable or eliminate other miners on the servers.

Intezer researchers have discovered that the Pacha Group is now targeting cloud-based infrastructures, while identifying new, undetected variants of Linux.GreedyAntd which share significant amounts of code with previous variants. Like previous versions, the malware being used is mainly focused on cryptomining, this time with some updated operational mechanisms.

Cryptominers can interfere with the normal operation of production servers and can cause challenges to business continuity and financial loss due to excessive resource consumption. Within these new variants, strong evidence suggests that the Pacha Group is largely focused on disabling previously installed cryptominers from the Rocke cybercrime group, competing with the threat group to obtain the largest foothold of computing power to carry out their malicious mining efforts.

The Rocke Group was first reported by Cisco Talos researchers and is also known to target cloud-based environments. The Rocke Group has been deploying sophisticated crypto-mining campaigns in Linux servers and cloud-based environments as reported in January 2019 by Palo Alto Unit 42.

There is also strong evidence to suggest that the attack vector was a known vulnerability published on Atlassian Confluence in March 2019.

Mitigation Recommendations

1) Checking for infection – We have published YARA rules that can help users scan the filesystem or memory of their Linux machines to check for Linux.GreedyAntd infections: GitHub.

2) Remediation / Clean up – Due to the Pacha Group’s aggressive persistence mechanisms such as rootkits and multiple implants, we recommend that the most effective way to clean up an infected system is to restore it from its backup, or if possible, terminate and start a new server.

3) Vulnerability patching – Refer to the recent Atlassian vulnerability disclosure for instructions on how to patch the vulnerable Confluence version.


By searching for and disabling previously installed cryptominers from other cybercrime groups, namely the Rocke Group, the Pacha Group is competing to obtain a foothold of computing power on the cloud for malicious crypto-mining activities.

We believe that these findings are relevant within the context of raising awareness about cloud-native threats, particularly on vulnerable Linux servers. While threat actor groups are competing with one another, this evidence may suggest that threats to cloud infrastructure are increasing. Unfortunately detection rates of Linux-based malware remain low and the security industry needs more awareness to more effectively mitigate these threats.

Technical Analysis and IOCs

To view the full technical analysis [TA] and IOCs, please visit HERE.


The information contained in this website is for general information purposes only. The information is gathered from Intezer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.