Table of Contents
September 22, 2021
|4m
How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware?
Cyber security researchers discovered a malware campaign that abused a word press plugin to deliver a new Capoae malware. Let’s see things research has uncovered about the new Capoae malware before we jump right on to it. Let’s see what crypto-mining malware is.
What Is Crypto Mining Malware Or Crypto Jacking?
Giving explanations on crypto-jacking or crypto mining is not that simple task. You must know what cryptocurrencies are and how cryptocurrencies are mined to understand what crypto-jacking is.
In simple words, cryptocurrencies are digital currencies that work on blockchain technology. Blockchains are made up of series of blocks. A block is constructed by solving complex mathematical puzzles. A massive amount of computing resources are required to solve puzzles. This process of constructing a block is called mining. Practically, a massive amount of computing resources are required to mine blockchains. Thousands and thousands of computers are needed to mine a block. The first who mine the block will be rewarded with some percentage of the cryptocurrency of the block (transaction).
Crypto miners are always in need of computing resources to win the race. So some bad crypto miners try to compromise other machines so that they can allegedly install the mining agents or malware on other computers to utilize their computing resources to win the race. This process of hijacking other computing resources is called crypto-jacking.
What Is The New Capoae Malware?
Capoae Malware is a PHP malware named “Capoae” referring to a Russian word “Сканирование” meaning “Scanning”. The malware’s primary target machines are prone to the known vulnerabilities and weak administrative credentials. Once they’ve been infected, they are used to mine cryptocurrencies.
How Attackers Used The New Capoae Malware To Deliver The Crypto Mining Malware?
The campaign begins with the infection of PHP malware through a backdoor via a word press plugin named download-monitor.
Upon downloading the Download-monitor plugin, attackers install the plugin by targeting the known vulnerabilities and weak passwords.
After the installation of the plugin, it downloads a 3 MB binary file to /tmp, which is written in Golang and packed in UPX packers.
That payload is developed to perform port scanning to find open ports and services, brute force attacks on the target systems running SSH, and loaded with exploits of several well-known vulnerabilities: CVE-2020-14882, CVE-2018-20062, CVE-2019-1003029, and CVE-2019-1003030.
How To Protect From The New Capoae Malware?
Follow some of the basic guidelines which could play a vital role in protecting you from the new Capoae malware:
The best protection against crypto miners is using a good anti-malware solution. Most of the anti-malware solutions are able to detect crypto-jacking malware.
Monitor the health of your devices and system resources like CPU and GPU performances. Isolate the system from the internet and flash it if required.
Block the IOCs at the network level. Block the domains/IP addresses on your firewall or Wi-Fi router.
Disable the unwanted port and services.
Don’tDon’t download anything from untrusted sources and unsigned software.
New Capoae Malware IOCs:
SHA256SUM
7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0 Capoae UPX Packed
fd8f419f0217be0037ba7ae29baf4c3a08c8f2751b0b1be847b75bd58d6e153f Capoae UPX Unpacked
5a791205bc08396bc413641ea6e5d9fd5ef3f86caf029f51d4da65be700a2b1e ProductList-n3RkIo.php
f37cc420165fb809eb34fbf9c8bf13236a0cc35dee210db5883107a08a70f66d class-wp-page-n3RkIo.php
53521fab245023c56cf5562bd562d6ba98445a052155eb2e40c4a13a9343e6eb regexes.php
9ed14f470c95759cc0dca86fd913714b6733af8c0aaa35e3a7ad6604455e2230 sys.i686 UPX Packed
af7c5617a89c40aac9eb2e573a37a2d496a5bcaa9f702fa919f86485e857cb74 sys.x86_64 UPX Packed
7eb444671ab338eccadf81d43166661ccb4b1e487836ab41e2245db61dceed31 ldr.sh
IPs
198.100.145.141
23.238.128.118
69.12.66.218
207.126.93.190
Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
