Cado Security has issued a warning about a cryptojacking campaign leveraging Linux malware, which targets misconfigured Apache Hadoop, Confluence, Docker, and Redis instances with innovative malicious payloads. The attackers employ four new Golang payloads to automate the discovery and exploitation of vulnerable hosts, alongside a reverse shell and multiple user-mode rootkits to conceal their activities. In Docker attacks, the threat actors utilize a command to create a new container and establish a bind mount for the server’s root directory, enabling them to write an executable for connecting to their command-and-control server and fetching a first-stage payload. The payload, a shell script, facilitates C&C hosting, checks for utilities, installs additional payloads, and performs various system weakening tasks. Additionally, the attackers deploy XMRig miner, shell scripts, and utilities, while employing user-mode rootkits for stealth. They also insert SSH keys for persistence, utilize Golang payloads to search for and delete Docker images, and exploit vulnerabilities like CVE-2022-26134 in Confluence servers. This campaign underscores the evolving tactics of cloud and Linux malware developers, emphasizing the need for robust security measures against such threats.Linux Malware Campaign Targets Misconfigured Cloud Servers

Read more: https://www.securityweek.com/linux-malware-campaign-targets-misconfigured-cloud-servers/