Threat Group, "GUI-vil" Prefers GUI for Coinmining Operations

Financially motivated threat actor recognized as 'GUI-vil' or 'p0-LUCR-1' has been active for the past 18 months conducting cryptomining operations in the cloud. Researchers Ian Ahl and Daniel Bohannon from Permiso shared intelligence about the threat group from tracking their activity between November 2021 to April 2023. The origins of the group are unknown and while limited in reliability, a geolocation lookup of the threat actor's IP address revealed the source to be from a Indonesian-based internet service provider. A notable trait from the threat actor is a distinct penchant for GUI-based tools as they're described to be "allergic to CLI utilities, using S3 Browser and AWS Management Console via web browsers as their tooling." This trait led to Permiso researchers dubbing the group 'GUI-vil.'

Permiso describes GUI-vil as an "equal opportunity attacker," they'll scan and exploit vulnerabilities such as GitLab's remote code execution vulnerability, CVE-2021-22205, or utilize exposed credentials to obtain a foothold in the target's environment. The threat actors displayed a range of technical acumen using the ability to blend into the environment to avoid detection and "adapt their persistence to bypass restrictions the victim organization was putting in place." In addition, they strategically mimic legitimate users and generated usernames that align with the victim's naming conventions "or in some cases taking over existing users by creating login profiles for a user where none existed.” Operational mistakes such as leaving the S3 placeholder name, “<YOUR-BUCKET-NAME>” as the bucket name and leaving default policy and IAM usernames were also observed. In a span of a 24-hour operation, the threat actors were able to achieve their goal of launching large EC2 instances for cryptomining.