Researchers have uncovered two separate malware campaigns that exploit vulnerabilities and misconfigurations in cloud environments to distribute cryptocurrency miners.
The first campaign, named Soco404, and the second one, named Koske, have been identified by cloud security companies Wiz and Aqua, respectively.
Soco404 targets Linux and Windows systems by deploying malware specific to each platform, disguising malicious activity as legitimate system processes through process masquerading, as explained by Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger in a blog post.
The attackers embedded payloads in fake 404 HTML pages hosted on Google Sites-built websites, which have since been removed by Google.
The campaign, which previously targeted Apache Tomcat services with weak credentials and vulnerable Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is part of a broader crypto-scam infrastructure involving fraudulent cryptocurrency trading platforms, according to Wiz.
The latest campaign also targets publicly-accessible PostgreSQL instances and compromises Apache Tomcat servers to host Linux and Windows-specific payloads. The attackers have even utilized a legitimate Korean transportation website for malware delivery.
After gaining initial access, the attackers exploit PostgreSQL’s COPY … FROM PROGRAM SQL command for remote code execution. They use a variety of ingress tools, such as wget and curl on Linux and certutil and PowerShell on Windows, indicating an opportunistic strategy.
On Linux systems, a dropper shell script is executed in memory to download and launch a next-stage payload, while terminating competing miners and overwriting logs to evade detection. The payload contacts an external domain for the miner.
On Windows, the attackers download and execute a binary that embeds the miner and a driver to obtain system privileges, along with stopping the Windows event log service and self-deleting to avoid detection.
The discovery of Soco404 coincides with the emergence of Koske, a new Linux threat that uses images of pandas to propagate the malware, developed with the help of a large language model (LLM).
Koske exploits a misconfigured server to install scripts from JPEG images, including a rootkit and a shell script that downloads cryptocurrency miners in memory to avoid detection.
Koske aims to deploy CPU and GPU-optimized cryptocurrency miners to mine various coins using the host’s resources, such as Monero, Ravencoin, and Zano.
Aqua researcher Assaf Morag explained that the malware uses polyglot files with malicious payloads hidden at the end of valid JPG files, executing them in memory to bypass antivirus tools.
This method, known as polyglot file abuse, allows the malware to evade detection by executing only the malicious segments, making it a subtle form of malware propagation.
