Cyber security researchers discovered a malware campaign that abused a word press plugin to deliver a new Capoae malware. Let’s see things research has uncovered about the new Capoae malware before we jump right on to it. Let’s see what crypto-mining malware is.
What Is Crypto Mining Malware Or Crypto Jacking?
Giving explanations on crypto-jacking or crypto mining is not that simple task. You must know what cryptocurrencies are and how cryptocurrencies are mined to understand what crypto-jacking is.
In simple words, cryptocurrencies are digital currencies that work on blockchain technology. Blockchains are made up of series of blocks. A block is constructed by solving complex mathematical puzzles. A massive amount of computing resources are required to solve puzzles. This process of constructing a block is called mining. Practically, a massive amount of computing resources are required to mine blockchains. Thousands and thousands of computers are needed to mine a block. The first who mine the block will be rewarded with some percentage of the cryptocurrency of the block (transaction).
Crypto miners are always in need of computing resources to win the race. So some bad crypto miners try to compromise other machines so that they can allegedly install the mining agents or malware on other computers to utilize their computing resources to win the race. This process of hijacking other computing resources is called crypto-jacking.
What Is The New Capoae Malware?
Capoae Malware is a PHP malware named “Capoae” referring to a Russian word “Сканирование” meaning “Scanning”. The malware’s primary target machines are prone to the known vulnerabilities and weak administrative credentials. Once they’ve been infected, they are used to mine cryptocurrencies.
How Attackers Used The New Capoae Malware To Deliver The Crypto Mining Malware?
- The campaign begins with the infection of PHP malware through a backdoor via a word press plugin named download-monitor.
- Upon downloading the Download-monitor plugin, attackers install the plugin by targeting the known vulnerabilities and weak passwords.
- After the installation of the plugin, it downloads a 3 MB binary file to /tmp, which is written in Golang and packed in UPX packers.
- That payload is developed to perform port scanning to find open ports and services, brute force attacks on the target systems running SSH, and loaded with exploits of several well-known vulnerabilities: CVE-2020-14882, CVE-2018-20062, CVE-2019-1003029, and CVE-2019-1003030.
How To Protect From The New Capoae Malware?
Follow some of the basic guidelines which could play a vital role in protecting you from the new Capoae malware:
- The best protection against crypto miners is using a good anti-malware solution. Most of the anti-malware solutions are able to detect crypto-jacking malware.
- Monitor the health of your devices and system resources like CPU and GPU performances. Isolate the system from the internet and flash it if required.
- Block the IOCs at the network level. Block the domains/IP addresses on your firewall or Wi-Fi router.
- Disable the unwanted port and services.
- Don’tDon’t download anything from untrusted sources and unsigned software.
New Capoae Malware IOCs:
- 7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0 Capoae UPX Packed
- fd8f419f0217be0037ba7ae29baf4c3a08c8f2751b0b1be847b75bd58d6e153f Capoae UPX Unpacked
- 5a791205bc08396bc413641ea6e5d9fd5ef3f86caf029f51d4da65be700a2b1e ProductList-n3RkIo.php
- f37cc420165fb809eb34fbf9c8bf13236a0cc35dee210db5883107a08a70f66d class-wp-page-n3RkIo.php
- 53521fab245023c56cf5562bd562d6ba98445a052155eb2e40c4a13a9343e6eb regexes.php
- 9ed14f470c95759cc0dca86fd913714b6733af8c0aaa35e3a7ad6604455e2230 sys.i686 UPX Packed
- af7c5617a89c40aac9eb2e573a37a2d496a5bcaa9f702fa919f86485e857cb74 sys.x86_64 UPX Packed
- 7eb444671ab338eccadf81d43166661ccb4b1e487836ab41e2245db61dceed31 ldr.sh
Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.