A new malware campaign has been observed targeting misconfigured instances of Apache Hadoop, Confluence, Docker and Redis
A cryptojacking campaign involving Linux malware is targeting misconfigured instances of Apache Hadoop, Confluence, Docker and Redis with new and unique malicious payloads, warns cybersecurity firm Cado Security.
As part of the campaign, attackers employ four new Golang language payloads to automate the discovery and exploitation of vulnerable hosts, as well as a reverse shell and several user-mode rootkits to hide their presence.
In attacks targeting Docker, threat actors used a command to spawn a new container and created a binding assembly for the server’s root directory that allowed them to write an executable used to establish a connection to the command and control (C&C) of the servers. attackers and to recover a first stage payload from it. The payload is a shell script that can define a C&C hosting additional payloads, check for the existence of a utility and rename it, install and rename the utility if it does not exist, and determine whether root access is available and fetch a payload based on this.
The attackers were also seen deploying a second shell script to deliver an XMRig miner, a script and several utilities including ‘masscan’ for host discovery. The shell script also deletes the shell history and weakens the machine by disabling SELinux and other functions and uninstalling monitoring agents.
The script was also detected deploying the ‘libprocesshider’ and ‘diamorphine’ user-mode rootkits to hide malicious processes. The use of these rootkits resembles a recently observed Migo malware campaign targeting Redis servers.
The Golang payloads deployed in these attacks allow attackers to search for Docker images in Ubuntu or Alpine repositories and delete them, as well as identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet.
In attacks targeting Confluence servers, threat actors were seen exploiting CVE-2022-26134, a critical remote code execution flaw patched in June 2022, when it was already exploited as a zero-day.
Source: CisoAdvisor, CadoSecurity
