Recent samples of the destructive Xbash Linux malware can uninstall cloud security protection products from infected servers, Palo Alto Networks reports.
First detailed last year, the malware features a broad set of malicious capabilities, ranging from ransomware and crypto-currency mining to self-propagation, database deletion, and the enrolling of compromised servers into a botnet.
The malware is used by a group referred to as Rocke, which is associated with the Iron cybercrime group. More recent samples of Xbash include new code to uninstall five different cloud security protection and monitoring products from infected Linux servers, Palo Alto Networks’ security researchers say.
As part of the attacks, the malware first gains full administrative control over the hosts and abuse those rights to uninstall said products just as a legitimate administrator would. The targeted products are developed by Tencent Cloud and Alibaba Cloud (Aliyun).
“To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products,” Palo Alto Networks notes.
The Rocke threat actor is mainly focused on mining the Monero cryptocurrency on compromised Linux machines. For that, the group targets vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion to compromise systems and install their malicious code.
After establishing a connection to the command and control (C&C) server, the first stage malware downloads a shell script to achieve persistence, kill other crypto mining processes, block other crypto mining malware, uninstall agent-based cloud security products, fetch and run UPX packed coin miner, hide the process from Linux ps command, and adjust malicious file date time.
The attack reveals a new set of threats targeting the Cloud Workload Protection Platforms (CWPPs) market defined by Gartner (agent-based workload-centric security protection solutions), Palo Alto Networks points out.
Cloud service providers develop their own CWPPs to mitigate malware attacks on public cloud infrastructure (third-party cybersecurity companies also provide CWPPs), but threat actors attempt to evade these products.
Rocke’s malware initially only attempted to kill the Tencent Cloud Monitor process, but now it uninstalls cloud security products by Alibaba Cloud and Tencent Cloud, to ensure that agent-based cloud security products can’t detect its malicious behavior.
Both Alibaba Cloud and Tencent Cloud provide customers with details on the uninstallation procedure for their products, and the Xbash malware follows those steps, the security researchers reveal. As soon as the uninstallation has been completed, the malware starts its nefarious routines.
“We believe this unique evasion behavior will be the new trend for malware which targets public cloud infrastructure,” Palo Alto Networks says.
Related: Destructive Xbash Linux Malware Targets Enterprise Intranets