Cybersecurity researchers have discovered a new campaign that offers cryptocurrency miners called Linuxsys, leveraging known security flaws affecting Apache HTTP servers.
The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5). This is a high-strength past traversal vulnerability in Apache HTTP server version 2.4.49 that can lead to remote code execution.
“Attackers leverage the compromised legal website to distribute malware, allowing stealth delivery and detection to be avoided,” Vulncheck said in a report they share with Hacker News.
Infection sequence observed earlier this month and originated from the Indonesian IP address 103.193.177[.]152 is designed to drop the next stage payload from RepositoryLinux[.]Use org “curl or wget.
The payload is a shell script responsible for downloading Linuxsys Cryptocurrency Miner from five different legitimate websites, suggesting that the threat actors behind the campaign have compromised third-party infrastructure to facilitate the distribution of malware.
“This approach is smart because victims will connect to legitimate hosts with valid SSL certificates and are unlikely to cause lower detection,” Vulncheck said. “In addition, it provides a separation layer for downloader sites (‘RepositoryLinux[.]org’) because the malware itself is not hosted there. ”
The site also hosts another shell script named “cron.sh” which ensures that the miner will start automatically upon system restart. The cybersecurity company also identified two Windows executables on the hacked site, increasing the likelihood that attackers would chase Microsoft’s desktop operating system.
It is worth noting that the attack distributing Linuxsys Miner previously leveraged the critical security flaws of Osgeo Geoserver Geotools (CVE-2024-36401, CVSS score: 9.8), as recorded by Fortinet Fortiguard Labs in September 2024.
Interestingly, the shell script that was removed following the exploitation of the flaws was downloaded from RepositoryLinux[.]com, “Contains comments in the source code written in the Indonesian word Sundanese. The same shell script was detected in Wild, dating back to December 2021.
Some of the other vulnerabilities that have been exploited in recent years to deliver miners –
CVE-2023-22527, Template Injection Vulnerability in Atlassian Confluence Data Center and Confluence Server CVE-2023-34960, Command Injection Vulnerability in CHAMILO Learning Management System (LMS) CVE-2023-38646, Command Injection Vulnerability in Metabase CVE-2024-0012 and CVE-0024-9434-9474 Palo Alto Network Firewall Bypass and Privilege Escalation Vulnerability
“All of this shows that attackers are running long-term campaigns and employ consistent technologies such as N-Day exploitation, staging content from compromised hosts, and coin mining victim machines,” Vulncheck said.
“Part of their success comes from careful targeting. They seem to avoid low-interaction honeypots to observe their activity and require high interactions. Combined with the use of compromised hosts due to the distribution of malware, this approach has largely helped attackers avoid scrutiny.”
GhostContainer Backdoor targeted exchange server
The development is to deploy a Backdoor called GhostContainer in Microsoft Exchange Server’s N-Day Security Flaw, as Kaspersky revealed details of a campaign targeting Asia’s government agencies. The attack suspects that Exchange Server (CVE-2020-0688, CVSS score: 8.8) may have exploited a remote code execution bug whose attack is currently patched.
The Russian company said that “sophisticated multifunctional backdoors” can be “expanded dynamically with any function” by downloading additional modules, adding that “the backdoors have full control over the exchange server to attackers and allow them to perform a variety of malicious activities.”
Malware is equipped to parse instructions that can run shellcode, download files, read and delete files, execute any command, and load additional .NET bytecodes. It also includes a web proxy and tunnel module.
The activity is suspected to be part of a High-Permanent Threat (APT) campaign targeting high-value organizations, including high-tech companies in Asia.
Little is known about the person behind the attack, but it is rated highly skilled due to its detailed understanding of Microsoft Exchange Server and its ability to convert published code into advanced spy final tools.
“The GhostContainer backdoor is [command-and-control] “Instead, the attacker connects to an externally compromised server, and its control commands are hidden within normal Exchange web requests,” Kaspersky said.
Source link
