A new strain of malware, written in Go, has been spotted in cyberattacks against WordPress and Linux systems.
On Thursday, Larry Cashdollar, senior security researcher at Akamai, said the malware, dubbed Capoae, is written in the Golang programming language – quickly becoming a favorite among threat actors due to its cross-platform capabilities – and is spreading to through known bugs and weak administrative powers.
The vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) vulnerability in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP.
The malware was spotted after a sample targeted an Akamai honeypot. A sample of PHP malware arrived via a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot’s lax credentials were obtained by a brute force attack.
This plugin was then used as a conduit to deploy Capoae’s main payload to / tmp, a 3MB UPX binary, which was then decoded. XMRig is then installed in order to mine the Monero cryptocurrency (XMR).
Along with the cryptocurrency miner, there are also several web shells installed, one of which is capable of downloading stolen files to the compromised system. In addition, a port scanner was provided with the miner to find open ports for further exploitation.
“Once the Capoae malware is executed, it has a pretty clever way of persistence,” says Cashdollar. “The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you are likely to find system binaries. It then generates a random six-character file name and uses those two. items to copy itself to the new location on disk and delete itself. Once done, it injects / updates a Crontab entry that will trigger the execution of this newly created binary. ”
Capoae will attempt to brute force attack WordPress installations to spread and could also use CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws affecting Jenkins, and infections have been traced to Linux servers. .
Cashdollar said the Capoae campaign highlights “how determined these operators are to gain a foothold on as many machines as possible”.
The main signs of infection include high system resource usage, unexpected or unrecognizable running system processes, and strange log entries or artifacts, such as files and SSH keys.
“The good news is that the same techniques that we recommend to most organizations for ensuring system and network security still apply here,” commented Cashdollar. “Do not use weak or default credentials for servers or deployed applications. Make sure to keep those deployed applications up to date with the latest security patches and check them from time to time.”
In a second blog post, Akamai also looked at the evolution of Kinsing, a malware that uses known vulnerabilities in unpatched systems to mine and distribute a cryptocurrency mining botnet.
According to researcher Evyatar Saias, Kinsing was first spotted in February by Akamai and initially only targeted Linux. However, a recent upgrade allowed the botnet to hit Windows systems in the Americas, Asia, and Europe as well.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0