The Sysdig Threat Research Team (TRT) has revealed significant developments in the activities of the SSH-Snake threat actor.
The group, now referred to as CRYSTALRAY, has notably expanded its operations, increasing its victim count tenfold to more than 1500.
According to a new advisory published by Sysdig last week, CRYSTALRAY has been observed using a variety of open source security tools to scan for vulnerabilities, deploy backdoors and maintain persistent access to compromised environments.
The worm initially leverages the SSH-Snake open source software in campaigns targeting Confluence vulnerabilities.
Read more on Confluence vulnerabilities: Hackers Target Atlassian Confluence With RCE Exploits
Sophisticated Tools and Techniques Utilized
Released in January 2024, CRYSTALRAY self-modifies and propagates using discovered SSH credentials, offering enhanced stealth and efficiency compared to traditional SSH worms. Its current operations include mass scanning and exploitation of multiple vulnerabilities, using tools such as nmap, asn, HTTPS, nuclei and Platypus.
The group’s primary objectives are collecting and selling credentials, deploying cryptominers and ensuring continuous access to compromised systems.
Their scanning techniques are sophisticated. For instance, they generate IP ranges for specific countries using the ASN tool, allowing precise targeting. The US and China account for over half of their targets. CRYSTALRAY uses nmap for rapid network scans, followed by HTTPS to verify domain status and nuclei for comprehensive vulnerability checks.
CRYSTALRAY’s exploitation phase involves modifying publicly available proof-of-concept (POC) exploits to include their payloads, often deploying Platypus or Sliver clients for persistent control.
Their tactics include leveraging SSH-Snake to capture and send SSH keys and command histories to their command-and-control (C2) servers. This method not only facilitates lateral movement within networks but also enables the attackers to extract valuable credentials from environment variables and history files.
The attackers also utilize the Platypus dashboard to manage multiple reverse shell sessions, with victim numbers fluctuating between 100 and 400 based on campaign activity.
“CRYSTALRAY is different from most of the threat actors we track as they solely use open source penetration testing tools,” said Michael Clark, senior director of threat research at Sysdig. “This allows them to scale up their operations and, as we saw, rapidly increase the amount of systems they compromise. Using SSH-SNAKE also allows them to get further into compromised networks than your typical attacker, giving them access to more systems and data. The more systems and data, the more profit.”
In addition to selling stolen credentials, CRYSTALRAY has been observed engaging in cryptomining operations, generating approximately $200 per month from victim resources. They also employ scripts to eliminate competing cryptominers on compromised systems, ensuring exclusive use of the resources.