Physicist Dr. Robert Helling at LMU Munich, one of the sites similarly attacked, published a preliminary analysis of the malware at https://atdotde.blogspot.com/2020/05/high-performance-hackers.html. He discovered altered files in /etc/fonts. In particular, the .fonts file was an executable with SUID root that simply gave a root shell (running bash). Another file in /etc/fonts named .low was larger and obfuscated by XORing. He was able to decode some of this and determine that it had lists of files in /var/log, presumably because it cleaned the logs. Also, they likely were able to steal additional SSH private keys from user directories, enabling them to login as many different legitimate users to further obscure the tracing.
Clearly, a sophisticated attack. Less clear is how they managed to implant the rootkit in /etc/fonts in the first place. Stealing a SSH private key from someone's personal device doesn't explain it. They could get a shell as a legitimate user, but still should not allow planting the rootkit in /etc/fonts. I wonder if their IPS only looks for remote password guessing attacks and not from sudo attempts.
In any case, it looks like they were able to delete logging and probably more, so the evidence of crypto mining, or anything else they did, is of course going to be limited. There is probably a gateway or router from which investigators could determine IP traffic, and that would reveal the extent of crypto mining.
Biting the hand that feeds IT
