A new cyber-criminal group that is believed to operate out of China has been hacking into Linux servers since last fall and installing a new strain of malware that mines cryptocurrency.
Discovered by security researchers at Intezer, this new group --which they named Pacha Group-- hasn't targeted Linux servers directly, but the apps that run on top.
Experts say Pacha Group hackers use brute-force attacks to compromise services like WordPress or PhpMyAdmin, and once they have an initial foothold, they escalate their access to the underlying server, where they deploy their malware, which Intezer has named Linux.GreedyAntd (hereinafter Antd).
A report by a Chinese security researcher places the first sighting of Antd in mid-September 2018. Intezer says the malware's source code overlaps with the source code of another malware strain discovered in January this year and named Linux.HelloBot, also used by the Pacha Group.
Signs point to hackers developing and testing the malware in parallel and then sticking with Antd for current operations.
According to Intezer's technical deep dive into the malware's inner workings, Antd is a complex piece of code that is designed around a modular structure and designed to work with multiple command and control servers.
"We can assume that the main reason for having such a broad infrastructure involving a large number of components is to make it more resilient to server shutdowns as well as to provide a factor of modularity," the Intezer team said.
"Furthermore, having this amount of components interconnected with each other also implies to invest a much greater effort in order to clean a given compromised system."
Clean-up operations are also made difficult because Antd doesn't necessarily behave like most Linux malware. It doesn't use a disguised cronjob to gain persistence on infected systems, but instead adds a Systemd service that mimics the legitimate mandb service. Unless investigators know what they're looking for, it's hard to spot Antd's backdoor, and servers will most likely get reinfected over and over again.
Furthermore, Pacha Group also appears to know what they were doing when they created the crypto-mining component.
Intezer says this Antd module is a modified XMRig variant that uses the Stratum mining protocol, but instead of storing local config files, it uses a proxy service to hide its settings and wallet address. This makes tracking Pacha Group's operations and profits much harder when compared to the multiple of other crypto-mining malware groups.
On top of this, the crypto-mining component also comes with a "kill list" of processes of other crypto-miners, but this isn't the first time such a feature has been spotted [1, 2].
For now, Linux server owners should be aware that this threat is out there. The hackers might not be attacking their systems directly, but admins need to make sure the apps they run on their servers are kept up to date and don't use default or easy-to-guess passwords for their management accounts.