Sophisticated Linux Malware Campaign Targets Misconfigured Cloud Services

Cado Security Labs’ recent discovery exposed a complex malware campaign zeroing in on Linux servers misconfigured with popular cloud services. This campaign highlights the adaptability of malicious actors, who are continuously refining tactics to exploit a dynamic attack surface.

The actors behind this campaign cloak their identities in layers of anonymity. With tactics reminiscent of previous cloud attacks attributed to notorious groups like TeamTNT, WatchDog, and the Kiss a Dog campaign. Yet, without the capabilities of governments or law enforcement, attributing these attacks to a specific actor remains a challenge.

Campaign’s Distinctive Features

• Multi-Service Focus: The campaign’s broad targeting of Apache Hadoop YARN, Docker, Confluence, and Redis sets it apart, hinting at attackers seeking diverse foothold opportunities.
• Rare Golang Payloads: The use of previously unreported Golang binaries indicates a degree of technical sophistication in payload creation.
• Agile Exploit Weaponization: Rapid incorporation of the CVE-2022-26134 Confluence vulnerability demonstrates the actors’ ability to monitor and operationalize new exploits with speed.

Detailed Initial Access Breakdown

1. Docker Engine API Exploitation: Attackers bind-mount the host’s root directory into a new container, enabling them to write malicious cron jobs for persistent code execution on the underlying machine.

2. Confluence Zero-Day Targeting: The n-day Confluence exploit grants remote code execution capabilities, a powerful entry point for attackers.

3. Automated Discovery and Spread: Purpose-built Golang tools automate the identification and compromise of other vulnerable hosts across randomized network segments.

4. Defensive Evasion: Rootkits, anti-forensic techniques, and disabling of security mechanisms are used to obscure the malware’s presence and maximize the chances of remaining undetected.

Potential Motivations

• Resource Hijacking: The primary payload is the XMRig cryptocurrency miner, signaling a primary interest in illicit cryptomining operations at scale. This campaign is not targeting just Docker, but also Apache Hadoop YARN, Confluence, and Redis through a series of sophisticated payloads. Each payload is tailored to exploit specific vulnerabilities, demonstrating a high level of customization and understanding of the target environments.For Docker, the campaign manipulates containers to escape onto the underlying host. In the case of Hadoop YARN, it targets exposed APIs to execute commands remotely. Confluence servers are compromised using a well-documented vulnerability, and Redis instances are hijacked through clever manipulation, turning them into cryptocurrency miners.
• Network Expansion: The malware’s worm-like behavior suggests a desire to establish a large infected network. This could be leveraged for future attacks, distributed denial-of-service (DDoS) activities, or sold on darknet markets for access to other threat groups.
• Espionage Potential: While not the immediate focus, the persistent backdoors and defensive evasion techniques could facilitate more targeted attacks and intelligence-gathering operations in the future.

Call to Action

Organizations with Linux-based cloud deployments should reassess their security posture, paying close attention to potentially misconfigured services and ensuring timely patching of critical vulnerabilities.