[ad_1]
New malware has been spotted attacking Linux systems and WordPress installations. Malware called Capoae is increasingly the preferred tool of hackers and threat actors due to its cross-platform capabilities, ease of installation, and rapid infection rate.
Linux and WordPress users should remain aware of any indicators that could signal a Capoae malware attack.
Larry Cashdollar, senior security researcher at Akamai, discovered this new strain of malware last month. He explained how Capoae exploits bugs and weak administrative credentials on the account to initiate system infection.
What is Capoae malware? How dangerous is it?
Typically, Capoae uses CVE-2020-14882, a remote execution bug in Oracle WebLogic Server, and CVE-2018-20062, another RCE for ThinkPHP. Using this as entry points, Capoae would install cryptocurrency mining software on the infected device. This creates a strain on the system resource load.
According to Advancetec Solutions, Capoae is not a dangerous malware strain. It’s much more harmless compared to payloads like ransomware. However, it is pointed out that Capoae is mined for cryptocurrency purposes. Technically, nothing prevents hackers from using Capoae for more devastating payloads, runtime codes, or viruses.
While there have been no reports of dangerous Capoae infections, the threat is clearly there, so users should remain vigilant for Capoae indicators.
Read also: New Android malware lets hackers use your device remotely and steal data: 9 ways to stop TangleBot
How it works Capoae Malware Attack Linux and WordPress
ZDNet explained in detail how Capoae launches its attack on Linux and WordPress. In their experiment, a sample of Capoae was observed targeting an Akamai honey pot.
As mentioned earlier, Capoae first exploited CVE-2020-14882 and CVE-2018-20062. PHP malware was then delivered via a WordPress plugin called Download-monitor. The honeypot’s lax user data and credentials were immediately obtained via a brute force attack.
The WordPress plugin was then used as a conduit for Capoae’s main payload to / tmp, a 3MB UPX binary. After being decoded, the newly acquired XMRig is installed and remotely controlled to mine the Monero cryptocurrency ( XMR).
Besides the cryptocurrency miner, Capoae would also install several web shells, steal user data, and upload stolen files to the attacker’s system. Finally, Capoae is able to detect the open ports that it could exploit on its mine.
According to ZDNet, Cashdollar said, “Once the Capoae malware is executed, it has a pretty smart way of persistence. The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you will likely find system binaries. “
Cashdollar also explained that Capoae would generate a random six character file name and use them to copy itself to a new location on disk and delete itself. Once done, Capoae injects / updates a Crontab entry which will trigger the execution of this newly created binary.
The most notable indicator of Capoae infection is an unrecognizable system process in operation or an unusual increase in the load on system resources. Also, keep an eye out for strange log entries or artifacts like keys and SSH files.
Associated article: New Android malware infects 10 million users and steals money: Complete list of apps with GriftHorse trojan found in Google PlayStore
[ad_2]
