A malicious threat actor has exploited a misconfigured instance of Open WebUI, a widely-used self-hosted AI interface with over 95,000 stars on GitHub, designed to enhance large language models (LLMs).
This incident underscores the growing risks associated with internet-exposed AI tools, as attackers leveraged administrative access on a vulnerable system to inject malicious AI-generated Python scripts, deploy cryptominers, and execute sophisticated infostealer malware.
The attack, which targeted both Linux and Windows environments, highlights the critical need for robust runtime security and multi-layer threat detection to combat such complex threats.
.png
)
Exploiting Open WebUI for Cryptojacking
The breach began with the accidental exposure of a training system running Open WebUI to the internet, misconfigured with administrative privileges and no authentication.
This oversight allowed attackers to access the system and utilize Open WebUI Tools a plugin system meant to extend LLM functionality to upload and execute malicious Python code.
The script, obfuscated with a technique dubbed “pyklump” by Sysdig TRT, featured 64 layers of compressed Base64 reversed encoding, making it difficult to analyze initially.
Once decoded, the payload revealed an AI-assisted design, characterized by uniform formatting and inline format string variables, suggesting rapid development using an LLM.
On Linux, the script copied itself to a hidden “.config” directory, downloaded cryptominers like T-Rex and XMRig for Monero and Kawpow mining, and employed defense evasion tools such as processhider and argvhider.
These tools, loaded via LD_PRELOAD, hid miner processes and arguments from system utilities.
Persistence was achieved through a deceptive “ptorch_updater” systemd service, while a Discord webhook facilitated command-and-control (C2) communications, transmitting victim data like IP addresses and system details.
Attack Paths Across Linux and Windows Systems
In the Windows attack path, the payload took a more insidious turn, installing the Java Development Kit (JDK) to execute a malicious JAR file, “application-ref.jar,” downloaded from a now-inactive IP.
According to the Report, This JAR acted as a loader for secondary malware, including infostealers targeting Chrome extensions and Discord tokens, alongside evasion techniques like sandbox detection and disabling debugging mechanisms.
The malware embedded DLLs with XOR encoding and named pipe operations, further complicating detection.
With low VirusTotal detection rates (as low as 1/73 for some components), the Windows payload demonstrated near-undetectable sophistication, emphasizing the financial motivations behind credential theft for further exploitation or resale in underground markets.
This attack, detected by Sysdig Secure through YARA rules, LD_PRELOAD library injection alerts, and DNS lookups for suspicious domains, serves as a stark reminder of the perils of misconfigured AI tools.
Accidental exposures of systems like Open WebUI can provide attackers with a gateway to deploy cryptojacking and data theft operations.
Indicators of Compromise (IoCs)
| Indicator Name | Indicator Type | Indicator Value |
|---|---|---|
| application-ref.jar | SHA256 | 1e6349278b4dce2d371db2fc32003b56f17496397d314a89dc9295a68ae56e53 |
| LICENSE.jar | SHA256 | 833b989db37dc56b3d7aa24f3ee9e00216f6822818925558c64f074741c1bfd8 |
| RavenCoin Wallet | Wallet Address | RHXQyAmYhj9sp69UX1bJvP1mDWQTCmt1id |
| Monero XMR Wallet | Wallet Address | 45YMpxLUTrFQXiqgCTpbFB5mYkkLBiFwaY4SkV55QeH2VS15GHzfKdaTynf2StMkq2HnrLqhuVP6tbhFCr83SwbWExxNciB |
| Malicious JAR Downloader URL | URL | http://185.208.159.155:8000/application-ref.jar |
