Cybersecurity researchers have discovered a new campaign that offers Cryptocurrency Miner, leveraging known security flaws affecting Apache HTTP servers. Linuxsys.
The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5). This is a high-strength past traversal vulnerability in Apache HTTP server version 2.4.49 that can lead to remote code execution.
“Attackers leverage the compromised legal website to distribute malware, allowing stealth delivery and detection to be avoided,” Vulncheck said in a report they share with Hacker News.
The infection sequence observed earlier this month and originated from the Indonesian IP address 103.193.177(.)152 is designed to drop the next stage payload from “RepositoryLinux(.)org” using CURL or WGET.
The payload is a shell script responsible for downloading Linuxsys Cryptocurrency Miner from five different legitimate websites, suggesting that the threat actors behind the campaign have compromised third-party infrastructure to facilitate the distribution of malware.
“This approach is smart because victims will connect to legitimate hosts with valid SSL certificates and are unlikely to cause lower detection,” Vulncheck said. “In addition, it provides a separation layer for the downloader site (‘Repositorylinux(.)org’) because the malware itself is not hosted there.”
The site also hosts another shell script named “cron.sh” which ensures that the miner will start automatically upon system restart. The cybersecurity company also identified two Windows executables on the hacked site, increasing the likelihood that attackers would chase Microsoft’s desktop operating system.
It is worth noting that the attack distributing Linuxsys Miner previously leveraged the critical security flaws of Osgeo Geoserver Geotools (CVE-2024-36401, CVSS score: 9.8), as recorded by Fortinet Fortiguard Labs in September 2024.
Interestingly, following the exploitation of the flaws, the shell script was downloaded from “RepositoryLinux(.)com” and source code comments written in the Indonesian word Sundanese were downloaded. The same shell script was detected in the wild, dating back to December 2021.
Some of the other vulnerabilities that have been exploited in recent years to deliver miners –
- CVE-2023-22527, template injection vulnerability for Atlassian Confluence Data Center and Confluence Server
- CVE-2023-34960, Chamilo Learning Management Systems (LMS) command injection vulnerability
- CVE-2023-38646, Metabase Command Injection Vulnerability
- CVE-2024-0012 and CVE-2024-9474 are authentication bypass and privilege escalation vulnerabilities in the Palo Alto Networks firewall
“All of this shows that attackers are running long-term campaigns and employ consistent technologies such as N-Day exploitation, staging content from compromised hosts, and coin mining victim machines,” Vulncheck said.
“Part of their success comes from careful targeting. They seem to avoid low-interaction honeypots to observe their activity and require high interactions. Combined with the use of compromised hosts due to the distribution of malware, this approach has largely helped attackers avoid scrutiny.”
GhostContainer Backdoor targeted exchange server
The development revealed details of a campaign targeting Asian government agencies, and therefore perhaps due to the N-Day security flaw in Microsoft Exchange Server, to deploy a bespoke backdoor. GhostContainer. The attack suspects that Exchange Server (CVE-2020-0688, CVSS score: 8.8) may have exploited a remote code execution bug whose attack is currently patched.
The Russian company said that “sophisticated multifunctional backdoor” can be “expanded dynamically with any function” by downloading additional modules, adding that “the backdoor has full control over the exchange server to attackers and allows them to perform a variety of malicious activities.”
Malware is equipped to parse instructions that can run shellcode, download files, read and delete files, execute any command, and load additional .NET bytecodes. It also includes a web proxy and tunnel module.
The activity is suspected to be part of a High-Permanent Threat (APT) campaign targeting high-value organizations, including high-tech companies in Asia.
Little is known about the person behind the attack, but it is rated highly skilled due to its detailed understanding of Microsoft Exchange Server and its ability to translate published code into advanced spy final tools.
“The GhostContainer backdoor does not establish connections with the (command and control) infrastructure,” Kaspersky said. “Instead, the attacker connects to an externally compromised server, and its control commands are hidden within normal Exchange web requests.”
