Cybersecurity Flaw Exploited to Deliver Cryptocurrency Miner
Cybersecurity experts have unearthed a new campaign that takes advantage of a recognized vulnerability in the Apache HTTP Server, which is being used to deploy a cryptocurrency mining software known as Linuxsys. The vulnerability, identified as CVE-2021-41773, has a significant CVSS score of 7.5, indicating its high severity and potential for remote code execution in Apache HTTP Server version 2.4.49. According to a report from VulnCheck shared with The Hacker News, attackers are using compromised legitimate websites to distribute this malware, facilitating a discreet delivery mechanism that is harder to detect.
Malware Delivery Methodology
The observed infection method began earlier this month and was traced back to an Indonesian IP address, specifically 103.193.177[.]152. This method involves downloading a subsequent payload from “repositorylinux[.]org” through tools like curl or wget. This payload is a shell script tasked with retrieving the Linuxsys miner from five different legitimate websites, indicating that the perpetrators have successfully infiltrated trusted third-party infrastructures to aid in the malware’s distribution. VulnCheck pointed out that this strategy is particularly effective since victims connect to legitimate hosts that possess valid SSL certificates, thereby reducing the chances of detection.
Automated Mining Script and Broader Targeting
These compromised sites also host a shell script labeled “cron.sh,” which ensures that the cryptocurrency miner launches automatically whenever the system is rebooted. Furthermore, cybersecurity analysts have discovered two Windows executables residing on the hacked sites, suggesting that the attackers may also be targeting Microsoft’s operating system. Notably, the Linuxsys miner has previously capitalized on a critical vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401) with an alarming CVSS score of 9.8, as reported by Fortinet FortiGuard Labs in September 2024. The shell script that emerges following the exploitation of this flaw was traced back to “repositorylinux[.]com,” and its source code included comments in Sundanese, an Indonesian dialect.
Long-Term Campaign Indicators
In recent years, the Linuxsys miner has exploited various vulnerabilities, including CVE-2023-22527 in Atlassian Confluence, CVE-2023-34960 in Chamilo Learning Management Systems, CVE-2023-38646 in Metabase, and CVE-2024-0012 along with CVE-2024-9474 targeting Palo Alto Networks firewalls. VulnCheck noted that these activities indicate a prolonged campaign by the attackers, who consistently employ similar techniques such as exploiting known vulnerabilities, staging content on compromised hosts, and mining cryptocurrencies on infected devices. Their success appears to stem from targeted strategies, as they seem to bypass low interaction honeypots, necessitating high interaction to monitor their operations effectively. This combination of tactics has largely enabled the attackers to remain under the radar.
Exchange Servers Compromised by GhostContainer Backdoor
In a related development, Kaspersky has revealed a campaign aimed at government entities in Asia that likely exploits an N-day security vulnerability in Microsoft Exchange Server to deploy a unique backdoor named GhostContainer. This campaign is suspected to have leveraged a now-resolved remote code execution flaw in Exchange Server (CVE-2020-0688), which carries a CVSS score of 8.8. According to Kaspersky, this advanced backdoor is capable of being dynamically expanded with additional functionalities through module downloads, granting attackers extensive control over the Exchange server and enabling a variety of malicious operations.
Advanced Persistent Threat Characteristics
The GhostContainer backdoor is designed to execute shellcode, download and manipulate files, run arbitrary commands, and load additional .NET bytecode. It also features a web proxy and tunneling functionality. There are indications that this activity may form part of an advanced persistent threat (APT) campaign targeting high-value organizations in Asia, including tech firms. Although the identities of the attackers remain unknown, their sophisticated techniques suggest a high level of expertise, particularly regarding Microsoft Exchange Server and their ability to convert publicly available code into sophisticated espionage tools. Notably, Kaspersky highlighted that the GhostContainer backdoor does not connect to any command-and-control infrastructure, with attackers instead accessing the compromised server directly and embedding their commands within standard Exchange web requests.
