Jump to content
  • New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin

    aum

    • 495 views
    • 2 minutes
     Share


    • 495 views
    • 2 minutes

    A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency.

     

    "The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar said in a write-up published last week.

     

    The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a Golang binary with decryption functionality, with the obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET request from an actor-controlled domain.

     

    shell.jpg

     

    Also included is a feature to decrypted and execute additional payloads, while the Golang binary takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.

     

    What's more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that's then subsequently used to copy itself into the new location on the system before deleting the malware upon execution.

     

    "The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible," Cashdollar said. "The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here."

     

    "Don't use weak or default credentials for servers or deployed applications," Cashdollar added. "Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time. Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts and suspicious access log entries, etc., will help you potentially identify compromised machines."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...