Throughout the campaign, the attackers demonstrated advanced knowledge of Linux systems by continuously adapting their malware and tactics to avoid detection while maximizing system resource exploitation for “cryptocurrency mining” and “DDoS” operations. This sophisticated Linux malware campaign was uncovered in March 2024 and found targeting vulnerable servers via “Apache2” web server exploitation. Here to evade the detection, this tool was masqueraded as “kernel processes.” The campaign used the C2 channels, Telegram bots, and cron jobs for remote operations. They used “pspy64” for system reconnaissance and attempted to deploy custom binaries (‘apache2’ and ‘apache2v86’) with “XOR-encoded” strings, though these faced execution issues. It used “HTTP POST” and “GET” requests to communicate with a remote server at gcp.pagaelrescate[.]com, as this helps in automating the gambling process while incorporating delays to mimic human behavior. After failing to escalate privileges to root, they established persistence as the “www-data” user, utilizing ‘GSOCKET’ for an “SSL connection” disguised as a “kernel process” named “[mm_percpu_wq]”. This script included functions for “user authentication” (‘obteneruid’), “data transmission” (‘enviardatos’), “simulating betting” (‘hacerjugada’), and “handling bonus rounds” (‘completarbono’). A potential Bitcoin/XMR mining scheme involving “gambling APIs” suggested “money laundering” activities. They set up a ‘cron job’ to download and execute a script named “ifindyou” every minute. They established persistence using “GSOCKET,” it’s a tool that is used for encrypted communication.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Oct 2024 05:00:25 +0000