This cryptocurrency mining malware now disables security software to help remain undetected

Cryptojacking campaign targets Linux servers that haven't had patches for known vulnerabilities applied.
Written by Danny Palmer, Senior Writer

A form of cryptojacking malware has added the ability to disable cloud security software to help avoid detection and increase its chance of illicitly mining for cryptocurrency without being discovered.

It's the first time this attack technique has ever been seen, said the researchers at security company Palo Alto Networks' research division Unit 42 who've detailed the technical capabilities of the campaign.

Cryptocurrency mining malware remains one of the most common threats to internet-connected machines -- ranging from IoT devices, to computers, all the way up to server farms.

This particular family of Monero cryptomining malware -- which appears to be related to Xbash -- targets public cloud infrastructure running on Linux servers, gaining administrative control over the hosts and forcing it to uninstall security products in the same way a legitimate admin would.

But it isn't all forms of security software that the malware targets in this way: it seeks out five different cloud security products by Chinese firms Tencent and Alibaba in what looks to be specially selected targeting.

The malware is delivered by exploiting known vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. One example of how this works is that attackers can exploit Oracle WebLogic vulnerability CVE-2017-10271 in Linux to install a backdoor on the system and use it to download crypojacking malware.

As well as running the miner, the malware can also kill any other cryptojacking processes that might already be exploiting the target -- a common tactic used by those deploying cryptocurrency mining malware to root out the competition.

But the trump card for this attack is how it's capable of evading detection from cloud security services by shutting them down. The malware is specially built to not exhibit any malicious behaviours when it first arrives on the system. And it avoids suspicion because it follows procedures detailed on the service provider's websites as to how to uninstall the Cloud Host Security product.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Researchers say the campaign uses the same kind of Linux coin mining malware as as the Rocke cyber crime group -- also known as Iron -- which has been very active in recent years. Researchers at Cisco Talos have previously referred to the group as 'the champion of Monero miners' and have suggested that the operation is Chinese-speaking.

One of the reasons Rocke is able to flourish is because some administrators aren't applying patches that have been released to counter known vulnerabilities.

"The vulnerabilities for these products have been patched by the vendors, but the Rocke group took advantage of the fact that some administrators hadn't deployed those patches," Ryan Olson, vice president for threat intelligence at Palo Alto Networks' Unit 42 told ZDNet.

"This evolution indicates that attackers who are compromising hosts operating in cloud platforms are now attempting to evade security products that are specific to those platforms," he added.

Unit 42 has detailed the Indicators of Compromise for the malware in their technical analysis of the campaign -- but a good way to avoid infection in the first place is to ensure systems are up to date and all the latest patches have been applied.


Editorial standards