Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners.
The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively.
Soco404 “targets both Linux and Windows systems, deploying platform-specific malware,” Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said. “They use process masquerading to disguise malicious activity as legitimate system processes.”
The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google.
Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is part of a broader crypto-scam infrastructure, including fraudulent cryptocurrency trading platforms.
The latest campaign has also been found to target publicly-accessible PostgreSQL instances, with the attackers also abusing compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. Also hacked by the attackers is a legitimate Korean transportation website for malware delivery.
Once initial access is obtained, PostgreSQL’s COPY … FROM PROGRAM SQL command is exploited to run arbitrary shell commands on the host and achieve remote code execution.
“The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point,” Wiz said. “Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy.”
On Linux systems, a dropper shell script is executed directly in memory to download and launch a next-stage payload, while simultaneously taking steps to terminate competing miners to maximize financial gain and limit forensic visibility by overwriting logs associated with cron and wtmp.
The payload executed in the next-stage is a binary that serves as a loader for the miner by contacting an external domain (“www.fastsoco[.]top”) that’s based on Google Sites.
The attack chain for Windows leverages the initial post-exploitation command to download and execute a Windows binary, which, like its Linux counterpart, functions akin to a loader that embeds both the miner and the WinRing0.sys driver, the latter being used to obtain NTSYSTEM privileges.
On top of that, the malware attempts to stop the Windows event log service and executes a self-deletion command to evade detection.
“Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” the company said. “This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.”
The discovery of Soco404 dovetails with the emergence of a new Linux threat dubbed Koske that’s suspected to be developed with assistance from a large language model (LLM) and uses seemingly innocuous images of pandas to propagate the malware.
The attack starts with the exploitation of a misconfigured server, such as JupyterLab, to install various scripts from two JPEG images, including a C-based rootkit that’s used to hide malicious malware-related files using LD_PRELOAD and a shell script that ultimately downloads cryptocurrency miners on the infected system. Both payloads are directly executed in memory to avoid leaving traces on disk.
Koske’s end goal is to deploy CPU and GPU-optimized cryptocurrency miners that take advantage of the host’s computational resources to mine 18 distinct coins, such as Monero, Ravencoin, Zano, Nexa, and Tari, among others.
“These images are polyglot files, with malicious payloads appended to the end. Once downloaded, the malware extracts and executes the malicious segments in memory, bypassing antivirus tools,” Aqua researcher Assaf Morag said.
“This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse.”
