Huawei Cloud, are now targeted by some new variant of a past crypto-mining malware. This is Linux-based and its initial version started its activities in 2020 when the victims were Docker containers.This new campaign brings also evolution and enhanced capabilities.

The Linux crypto-mining malware has new features:

  • The function that creates firewalls rules was commented out in the new samples.
  • It performs a network scanner dropping. This has the goal of host mapping using API relevant ports.
  • Only cloud environments are targeted this time.
  • It removes previous malicious cryptojacking scripts.
  • The coin miner will target a Linux system and infect it, so it removes created users
  • Once the previous users are deleted, the cryptojackers add their own users.
  • These go on the sudo list,device root access is achieved.
  • A personal ssh-RSA key is used for system changes and file permissions are changed to “locked”. This makes sure the malware is persistent.
  • Tor proxy service is then installed,so connections are anonymously bypassed.
  • Then “linux64_shell”, ”ff.sh”, “fczyo”, “xlinux” are dropped but are somehow obfuscated.
  • Binaries created can bypass automated detection and analysis tools.
  • Finally, a device foothold is obtained, and the remote systems will be compromised with cryptominer and infected scripts.

Researchers have also found what vulnerabilities were scanned during the attack. Therefore, hackers looked for weak SSH passwords, the Oracle WebLogic Server flaw dubbed  CVE-2020-14882,weak passwords or unauthorized access related to Redis, Postgre SQL, or MongoDB, and weak passwords of SQL Server and of FTP. Linux cybersecurity attacks usually follow a pattern of crypto miners’ payload deployment.

Detect and stop hidden cyber threats and be a step ahead of hackers with our Threat Prevention Tool. This combined with Next-Gen Antivirus will identify even undetectable malware.