A sophisticated Linux malware, dubbed Koske, is raising alarms in the cybersecurity community due to its advanced techniques and the strong possibility of its development using artificial intelligence. Researchers from AquaSec describe it as a significant threat that leverages seemingly benign JPEG images of panda bears to deploy malicious payloads. The malware’s ultimate goal is to hijack a system’s computational power to mine over 18 different cryptocurrencies, showcasing a high degree of automation and adaptability that points toward the use of large language models (LLMs) or other automation frameworks in its creation.
Koske gains initial access by exploiting misconfigured JupyterLab instances that are exposed to the internet. Once inside, the attacker uses a clever technique involving polyglot files. It downloads two .JPEG images of pandas which are, in fact, valid image files that a user could open and view normally. However, appended to the image data is malicious shell script and C code. Unlike steganography, where data is hidden within an image, these files are valid as both JPEGs and executable scripts, allowing them to be interpreted differently depending on the application that opens them. This method allows the malware to be hosted on legitimate image services, evading simple detection.
Upon execution by a script interpreter, the two panda “images” launch their payloads in parallel directly into the system’s memory, a technique that minimizes traces on the disk.
One payload is a C-based rootkit that is compiled and executed in memory, while the second is a shell script. The rootkit uses the LD_PRELOAD technique to hide malware-related processes and files from monitoring tools. Meanwhile, the shell script establishes persistence through cron jobs and custom systemd services, hardens the network by overwriting DNS settings to use Cloudflare and Google, and actively finds working proxies to maintain its connection.
After establishing a persistent and stealthy presence, Koske’s primary function begins. The shell script evaluates the infected host’s CPU and GPU to determine the most efficient cryptocurrency miner to deploy from a selection hosted on GitHub. This intelligent profiling allows it to maximize its mining output. The malware is equipped to mine 18 different cryptocurrencies, including privacy-focused coins like Monero, Ravencoin, and Zano. Furthermore, if a mining pool or a specific coin becomes unavailable, Koske automatically switches to a backup, demonstrating a high level of autonomous operation.
The adaptive behavior, complex evasion techniques, and automated decision-making observed in Koske are what led researchers to suspect AI involvement in its development. While attribution is difficult—with clues pointing to Serbian and Slovak origins—the focus remains on the malware’s capabilities. AquaSec warns that Koske is likely just the beginning. Future malware variants could leverage real-time adaptability powered by AI, allowing them to evolve their tactics dynamically in response to defenses, heralding a new and far more dangerous class of cyber threats.
Reference: