Connect with us

Hi, what are you looking for?


Malware & Threats

Linux Malware Campaign Targets Misconfigured Cloud Servers

A new malware campaign has been observed targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances.

A cryptojacking campaign involving Linux malware is targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances with new and unique malicious payloads, cybersecurity firm Cado Security warns.

As part of the campaign, the attackers employ four new Golang payloads to automate the discovery and exploitation of vulnerable hosts, as well as a reverse shell and multiple user-mode rootkits to hide their presence.

In attacks targeting Docker, the threat actors used a command to spawn a new container and created a bind mount for the server’s root directory that allowed them to write an executable used to establish a connection to the attackers’ command-and-control (C&C) and to retrieve a first-stage payload from it.

The payload is a shell script that can define a C&C hosting additional payloads, check for the existence of a utility and rename it, install and rename the utility if it does not exist, and determine if root access is available and fetch a payload based on that.

The attackers were also seen deploying a second shell script for the delivery of an XMRig miner, a script, and various utilities, including ‘masscan’ for host discovery. The shell script also deletes shell history and weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents.

The script was also seen deploying the ‘libprocesshider’ and ‘diamorphine’ user-mode rootkits to hide malicious processes. The use of these rootkits resembles a recently observed Migo malware campaign targeting Redis servers.

Furthermore, the script can insert an attacker-controlled SSH key and register systemd services for persistence, retrieve the open source Golang reverse shell utility Platypus, discover SSH keys and spread malware via SSH commands, and deploy an additional binary.

The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet.

Advertisement. Scroll to continue reading.

In attacks targeting Confluence servers, the threat actors were seen exploiting CVE-2022-26134, a critical remote code execution flaw patched in June 2022, when it was already exploited as a zero-day.

“This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers. It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” Cado notes.

Related: ‘Leaky Vessels’ Container Escape Vulnerabilities Impact Docker, Others

Related: MySQL Servers, Docker Hosts Infected With DDoS Malware

Related: P2PInfect: New Peer-to-Peer Worm Targeting Redis Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.