Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware?
September 22, 2021

How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware?

How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware

Cyber security researchers discovered a malware campaign that abused a word press plugin to deliver a new Capoae malware. Let’s see things research has uncovered about the new Capoae malware before we jump right on to it. Let’s see what crypto-mining malware is.

What Is Crypto Mining Malware Or Crypto Jacking?

Giving explanations on crypto-jacking or crypto mining is not that simple task. You must know what cryptocurrencies are and how cryptocurrencies are mined to understand what crypto-jacking is.

In simple words, cryptocurrencies are digital currencies that work on blockchain technology. Blockchains are made up of series of blocks. A block is constructed by solving complex mathematical puzzles. A massive amount of computing resources are required to solve puzzles. This process of constructing a block is called mining. Practically, a massive amount of computing resources are required to mine blockchains. Thousands and thousands of computers are needed to mine a block. The first who mine the block will be rewarded with some percentage of the cryptocurrency of the block (transaction).

Crypto miners are always in need of computing resources to win the race. So some bad crypto miners try to compromise other machines so that they can allegedly install the mining agents or malware on other computers to utilize their computing resources to win the race. This process of hijacking other computing resources is called crypto-jacking.

What Is The New Capoae Malware?

Capoae Malware is a PHP malware named “Capoae” referring to a Russian word “Сканирование” meaning “Scanning”. The malware’s primary target machines are prone to the known vulnerabilities and weak administrative credentials. Once they’ve been infected, they are used to mine cryptocurrencies.

How Attackers Used The New Capoae Malware To Deliver The Crypto Mining Malware?

  1. The campaign begins with the infection of PHP malware through a backdoor via a word press plugin named download-monitor.

  2. Upon downloading the Download-monitor plugin, attackers install the plugin by targeting the known vulnerabilities and weak passwords.

  3. After the installation of the plugin, it downloads a 3 MB binary file to /tmp, which is written in Golang and packed in UPX packers.

  4. That payload is developed to perform port scanning to find open ports and services, brute force attacks on the target systems running SSH, and loaded with exploits of several well-known vulnerabilities: CVE-2020-14882CVE-2018-20062CVE-2019-1003029, and CVE-2019-1003030.

How To Protect From The New Capoae Malware?

Follow some of the basic guidelines which could play a vital role in protecting you from the new Capoae malware:

  1. The best protection against crypto miners is using a good anti-malware solution. Most of the anti-malware solutions are able to detect crypto-jacking malware.

  2. Monitor the health of your devices and system resources like CPU and GPU performances. Isolate the system from the internet and flash it if required.

  3. Block the IOCs at the network level. Block the domains/IP addresses on your firewall or Wi-Fi router.

  4. Disable the unwanted port and services.

  5. Don’tDon’t download anything from untrusted sources and unsigned software.

New Capoae Malware IOCs:







Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription