Wiz Research has identified an ongoing cryptomining campaign named Soco404 that actively targets misconfigured cloud services. The operation’s primary goal is to deploy platform-specific malware on both Linux and Windows environments to mine cryptocurrency. Attackers primarily gain initial access by scanning for publicly exposed services, with a significant focus on PostgreSQL databases, which are often misconfigured in cloud deployments.
The threat actors exploit features within these services to achieve remote code execution. A key method involves abusing PostgreSQL’s COPY FROM PROGRAM feature, a technique cataloged as T1190 by MITRE. They also leverage known vulnerabilities, such as CVE-2025-24813 in Apache Tomcat, and weak credentials to infiltrate systems. To evade detection, the attackers host their malware payloads on legitimate but compromised servers, including a Korean transportation website, making the malicious traffic appear benign.
Soco404 employs several clever techniques to remain hidden and maintain its presence on infected systems. The campaign uses process masquerading (T1036.005), where malicious binaries are disguised as legitimate system processes like sd-pam. A unique aspect of this campaign is its payload delivery mechanism: the malware is embedded as a base64-encoded blob within fake 404 error pages hosted on Google Sites and custom domains. Persistence is achieved on Linux through cron jobs (T1053.003) and by modifying shell initialization files like .bashrc (T1546.004).
Platform-Specific Malware Behavior
The malware behaves differently depending on the operating system. On Linux, a dropper script downloads a UPX-packed and Garble-obfuscated Go binary that executes in memory (T1027). This binary eliminates competing miners, optimizes system resources for mining, and connects to a command-and-control (C2) server. On Windows, a payload named ok.exe establishes persistence as a service (T1543.003), injects itself into the conhost.exe process (T1055), deploys a driver for direct hardware access, and halts event logging (T1562.002) before beginning its mining operations.
Broader Infrastructure and Detection
Evidence suggests that Soco404 is part of a larger crypto-scam infrastructure that also includes fake cryptocurrency exchange websites. This indicates a versatile operation that combines automated cryptojacking with social engineering tactics. Security tools like Wiz’s Dynamic Scanner can identify the initial attack vector by detecting exposed PostgreSQL instances with weak credentials, while its Runtime Sensor can detect the anomalous behaviors associated with the campaign, from exploitation to the final resource hijacking for mining (T1496). The campaign remains active, with a fluctuating number of infected workers participating in its mining pools.
Reference:
