Unveiling Cross-Platform Cryptomining Attacks: The Threats of Soco404 and Koske
Recent Threat Discoveries
Recent findings from cybersecurity experts have brought to light two notable malware campaigns that exploit vulnerabilities in cloud environments to deliver cryptocurrency miners. Named Soco404 and Koske by the security firms Wiz and Aqua, these campaigns highlight the evolving landscape of cyber threats.
Understanding Soco404
Targeting Diverse Operating Systems
Soco404 is designed to target both Linux and Windows platforms, deploying malware tailored specifically for each system. Researchers at Wiz, including Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger, note that the attackers utilize process masquerading techniques to cloak their activities, disguising malicious actions as legitimate system processes.
Ingenious Payload Delivery
The malware utilizes a unique tactic by embedding its payloads within deceptive 404 HTML pages, hosted on Google Sites. Although Google has since taken these fraudulent sites down, the impact of this strategy reflects a sophisticated understanding of web structures. The campaign has previously targeted vulnerable services such as Apache Tomcat with weak authentication, alongside exploitable Apache Struts and Atlassian Confluence servers through the Sysrv botnet.
Exploiting PostgreSQL and Compromised Servers
Targeting Public Databases
The latest campaigns also include specific actions against publicly-accessible PostgreSQL instances. The attackers have exploited compromised Apache Tomcat servers to disseminate payloads appropriate for both Linux and Windows systems. In a surprising move, they even compromised a legitimate Korean transportation website to facilitate malware delivery.
Strategies for Remote Code Execution
Once the attackers gain initial access, they leverage PostgreSQL’s COPY … FROM PROGRAM SQL command to execute arbitrary shell commands on the host, effectively achieving remote code execution. According to Wiz, these automated scans for exposed services demonstrate a thoroughly opportunistic approach. Utilizing a range of ingress tools like Linux utilities (wget, curl) and Windows-native options (certutil, PowerShell), the attackers maximize their potential entry points.
The Mechanics of the Attack
Payload Execution on Linux
When targeting Linux systems, the attack initiates by executing a dropper shell script directly in memory. This script downloads and activates the next-stage payload, while obscurely aborting competing miners to enhance their financial results. To further conceal their activities, they overwrite logs associated with cron and wtmp.
Techniques on Windows Systems
On Windows, the exploitation steps involve downloading and executing a Windows binary. Much like the Linux variant, this binary functions as a loader and incorporates both the miner and a crucial driver, WinRing0.sys, which allows the malware to achieve NT\SYSTEM privileges. The attackers also attempt to halt the Windows event log service and trigger a self-deletion command to evade detection.
The Emergence of Koske
The Newest Player in Cryptomining
The discovery of Soco404 coincides with the emergence of Koske, a new Linux-based threat likely developed with the help of a large language model (LLM). This malware cunningly uses seemingly benign images of pandas to disseminate its payload.
Exploitation of Misconfigured Servers
The Koske attack begins with the exploitation of poorly configured servers, such as JupyterLab. It installs different scripts via two JPEG images, including a C-based rootkit designed to conceal malicious files using LD_PRELOAD. This is complemented by a shell script that downloads cryptocurrency miners directly on the compromised machine.
How Koske Operates
Executing Payloads in Memory
Both payloads are executed directly in memory to prevent leaving traces on the disk, a growing trend among sophisticated malware. Koske’s ultimate ambition is to deploy CPU and GPU-optimized cryptocurrency miners, capitalizing on the host system’s resources to mine a variety of cryptocurrencies like Monero, Ravencoin, and Tari.
Polyglot File Technique
Aqua researcher Assaf Morag describes the unique approach used by Koske, noting that the images are not only valid JPEGs but also polyglot files. The malicious payloads are appended to the end of these files. Once they are downloaded, the malware extracts and executes the harmful segments directly in memory, effectively bypassing conventional antivirus measures.
Conclusion
The developments surrounding Soco404 and Koske illustrate the adaptability and sophistication of modern cyber threats. As these campaigns demonstrate a clear focus on leveraging both cloud environments and complex delivery mechanisms, organizations must remain vigilant in securing their systems against such evolving malware threats.
