Elastic Security Labs uncovered a sophisticated Linux malware campaign targeting servers through an Apache2 web server exploit in March 2024. The attackers used a mix of tools, including custom malware, KAIJI (a DDoS botnet), and RUDEDEVIL (a cryptocurrency miner). They utilized C2 channels disguised as kernel processes, Telegram bots for communication, and cron jobs for persistence. The campaign also involved leveraging gambling APIs, potentially for money laundering activities.
The attackers exploited an Apache2 server, gaining arbitrary code execution. They deployed KAIJI malware and downloaded a script (00.sh) to erase traces and kill other mining processes.
The attackers used a file server to distribute malware for different architectures. RUDEDEVIL and KAIJI malware variants were identified, each serving different purposes, like mining cryptocurrency or conducting DDoS attacks.
- RUDEDEVIL: A cryptocurrency miner with various functions such as socket creation, privilege handling, decryption, and process monitoring. The malware also includes an XOR-based encryption routine for concealing its activities.
- KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control.
The attackers utilized GSOCKET for encrypted communication, disguised as kernel processes. They also employed cron jobs, PHP payloads, and Systemd services to establish and maintain persistence on compromised hosts. Telegram bots and gambling APIs were used to relay information back to the C2 server.
- ├── 09f935acbac36d224acfb809ad82c475d53d74ab505f057f5ac40611d7c3dbe7 l64_v0 RUDEDEVIL:LUFICER x64 version 0
- ├── 0fede7231267afc03b096ee6c1d3ded479b10ab235e260120bc9f68dd1fc54dd apache2_upx_packed
- ├── 160f232566968ade54ee875def81fc4ca69e5507faae0fceb5bef6139346496a l64_v2 RUDEDEVIL:LUFICER x64 version 2
- ├── 20899c5e2ecd94b9e0a8d1af0114332c408fb65a6eb3837d4afee000b2a0941b l86_v0 RUDEDEVIL:LUFICER x86 version 0
- ├── 47ceca049bfcb894c9a229e7234e8146d8aeda6edd1629bc4822ab826b5b9a40 l86_v2 RUDEDEVIL:LUFICER x86 version 2
- ├── 54a5c82e4c68c399f56f0af6bde9fb797122239f0ebb8bcdb302e7c4fb02e1de mvhhvcp3.exe DONUT LOADER
- ├── 728dce11ffd7eb35f80553d0b2bc82191fe9ff8f0d0750fcca04d0e77d5be28c SystemdXC XMRIG
- ├── 72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f SystemdXC XMRIG
- ├── 89b60cedc3a4efb02ceaf629d6675ec9541addae4689489f3ab8ec7741ec8055 l64_v3 RUDEDEVIL:LUFICER x64 version 3
- ├── 9e32be17b25d3a6c00ebbfd03114a0947361b4eaf4b0e9d6349cbb95350bf976 download.sh KAIJI Stager
- ├── 9ee695e55907a99f097c4c0ad4eb24ae5cf3f8215e9904d787817f1becb9449e download.sh KAIJI Stager
- ├── d0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8 linux_amd64 KAIJI x64
- ├── d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60 hjvhg.exe Miner
- ├── e89f4073490e48aa03ec0256d0bfa6cf9c9ac6feb271a23cb6bc571170d1bcb5 l86_v3 RUDEDEVIL:LUFICER x86 version 3
- └── ea0068702ea65725700b1dad73affe68cf29705c826d12a497dccf92d3cded46 l64_v1 RUDEDEVIL:LUFICER x64 version 1
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
No comments:
Post a Comment