A sophisticated Linux malware campaign targeting Apache2 web servers was uncovered in March 2024. The attackers exploited known vulnerabilities in Apache2, such as remote code execution (RCE) and path traversal flaws, to gain unauthorized access to vulnerable servers. Apache2, being widely used, presents a significant risk to organizations that fail to regularly update their servers and implement necessary security measures. The campaign demonstrated a high level of sophistication, utilizing multiple tools and techniques to maintain persistence and evade detection.
The malware arsenal deployed in this campaign included KAIJI, a tool used for Distributed Denial of Service (DDoS) attacks, RUDEDEVIL, a cryptocurrency miner, and custom malware designed for system reconnaissance and exploitation. The attackers also employed a tool called GSOCKET to establish encrypted communication channels for persistent access, masquerading it as kernel processes to avoid detection. To further obscure their activities, the attackers used techniques such as manipulating SELinux policies, using bind mounts for obfuscation, and exploiting the CVE-2021-4034 vulnerability, also known as “pwnkit,” for privilege escalation.
To maintain persistence on compromised systems, the attackers implemented multiple mechanisms, including creating Systemd services, modifying SysVinit scripts, and altering bash profiles. The use of a cron job to execute a script named “ifindyou” every minute was another tactic to ensure the malware remained active. The campaign also involved cryptocurrency mining, specifically through the XMRIG miner, which was configured to mine Bitcoin for a specific wallet address. The attackers even used the infected machine’s hostname as an identifier for the mining process, ensuring that each machine in the botnet contributed to their illicit activities.
In addition to mining cryptocurrency, the attackers integrated a Python script that interacted with a demo version of an online gambling game. This script simulated betting, handled user authentication, and transmitted data back to a remote server. The use of HTTP POST and GET requests allowed the attackers to automate the gambling process, mimicking human behavior with intentional delays. This suggests that the attackers were testing and refining their methods, possibly preparing for future, more advanced attacks on live gambling platforms, further indicating the growing complexity of cybercriminal activities targeting web servers.
Reference:
