Threat Hunter offers cryptocurrency miners by disclosing two different malware campaigns targeting vulnerabilities and misconceptions across cloud environments.
The Threat Activity Cluster is called Codo404 and Koske by cloud security companies Wiz and Aqua, respectively.
SOCO404 “It targets both Linux and Windows systems and deploys platform-specific malware,” said Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger. “They use masquerades to disguise malicious activities as legitimate systems processes.”
This activity refers to the fact that Payloads is embedded in fake 404 HTML pages hosted on websites built using Google sites. The fake site was then defeated by Google.
Wiz hypothesized that this campaign was previously observed after the Apache Tomcat service with weak credentials, as well as a sensitive Apache Struts and Atlassian Confluence server using SYSRV BotNet.
The latest campaign has also been found to target publicly accessible PostgreSQL instances, with attackers abusing the compromised Apache Tomcat server and hosting payloads tailored to both Linux and Windows environments. Also, hacked by attackers is a legitimate Korean transport website for the delivery of malware.
Once initial access is obtained, copying PostgreSQL…Copying from a programmatic SQL command is exploited to execute arbitrary shell commands on the host and achieve remote code execution.
“It appears that the attackers behind SOCO404 are running automatic scans of exposed services with the aim of exploiting accessible entry points,” Wiz said. “The use of a wide range of ingress tools, including Linux utilities such as Wget and Curl, and Windows-Native tools, such as Certutil and Powershell, highlight opportunistic strategies.”
In Linux Systems, Dropper Shell Script runs directly in memory, downloading and launching the next stage payload, while also overwriting logs related to Cron and WTMP, taking steps to terminate competing miners, maximize financial gains and limit forensic visibility.
The payload that runs in the next stage is a binary that contacts the external domain and acts as a minor loader (“www.fastsoco[.]TOP “) It is based on the Google site.
Windows Attack Chain utilizes commands after the first explosion to download and run Windows binaries. This is similar to a loader that embeds both Miner and Winring0.sys drivers, just like the Linux counterpart.
Additionally, the malware attempts to stop the Windows Event Log service and runs a self-exclusion command to avoid detection.
“Attackers don’t rely on a single method or an operating system, they deploy tools or techniques that can be used in the environment to cast a wide range of nets and deliver payloads,” the company said. “This flexible approach is a hallmark of a wide range of automated encryption campaigns focused on maximizing reach and sustainability across various targets.”
The discovery of SOCO404 is the discovery of Dovetails along with the emergence of a new Linux threat suspected to have been developed with the support of a large-scale language model (LLM) and suspected of propagating malware using the seemingly harmless images of pandas.
The attack starts with the exploitation of misunderstood servers such as JupyterLab and installs various scripts from two JPEG images, including a C-based RootKit, which is used to hide malicious malware-related files using LD_PRELOAD, and a shell script that will ultimately download Cryptocurrency Miners for the infected system. Both payloads are run directly in memory to avoid leaving traces on disk.
Koske’s ultimate goal is to deploy CPU and GPU-optimized cryptocurrency miners who use Host’s computational resources to mine 18 different coins, including Monero, Ravencoin, Zano, Nexa, Tari and more.
“These images are polyglot files, with malicious payloads added to the end. When downloaded, the malware extracts and runs malicious segments in memory, bypassing antivirus tools,” says Assaf Morag, a researcher at Aqua.
“This technique is not steganography, but rather an abuse of polyglot files or embedding malicious files. This technique uses a valid JPG file with malicious shellcode at the end. Only the last byte is downloaded and executed, resulting in a sly form of polyglot abuse.”
Source link
