A new malware has been discovered that attacks Linux systems and WordPress installations. The malware called Capoae is growing rapidly as a popular tool among hackers and threat actors because of its cross-platform capabilities, ease of installation, and fast infection rate.
Linux and WordPress users should be aware of the indicators that could signal a Capoae malware attack.
Larry Cashdollar, Senior Security Researcher at Akamai, discovered this new malware last month. He explained how Capoae exploited bugs and weak administrative credentials on the account to initiate a system infection.
What is Capoae Malware? How dangerous is it
In general, Capoae uses CVE-2020-14882, a remote execution bug in the Oracle WebLogic Server, and CVE-2018-20062, another RCE for ThinkPHP. Capoae would use this as entry points to install cryptocurrency mining software on the infected device. This puts a strain on the system’s resource load.
According to Advancetec Solutions, Capoae is not a dangerous strain of malware. It’s much more harmless compared to payloads like ransomware. However, it is emphasized that capoae is being exploited for cryptocurrency purposes. Technically, nothing prevents hackers from using Capoae for more devastating payloads, execution code, or viruses.
Although no reports of dangerous Capoae infections have been made, the threat is obviously present so users should stay alert to the Capoae indicators.
Also read: New Android Malware Allowing Hackers To Remotely Use Your Device And Steal Data: 9 Ways To Prevent TangleBot
How works Capoae malware attack Linux and WordPress
ZDNet explained in detail how Capoae launched its attack against Linux and WordPress. In their experiment, a capoae sample was observed aiming at an Akamai honey pot.
As mentioned earlier, Capoae first used CVE-2020-14882 and CVE-2018-20062. PHP malware was later deployed through a WordPress plugin called Download Monitor. User data and Honeypot’s slack credentials were instantly obtained by a brute force attack.
The WordPress plugin was then used as a conduit for Capoae’s main payload to / tmp, a 3MB UPX packed binary file. After decryption, the newly acquired XMRig is installed and ordered remotely to mine the cryptocurrency Monero (XMR).
In addition to the cryptocurrency miner, Capoae would also install multiple web shells, steal user data, and upload stolen files to the attacker’s system. Eventually, Capoae is able to spot open ports that it could exploit for its mining operations.
According to ZDNet, Cashdollar said, “After the Capoae malware runs, it has a pretty clever means of persistence. The malware first picks a legitimate looking system path from a small list of locations on a hard drive where you would likely find system binaries . “
Cashdollar also stated that Capoae would generate random six-digit filenames and use those to copy itself to a new location on the hard drive and delete itself. Once that’s done, Capoae injects / updates a crontab entry that triggers the execution of this newly created binary file.
The most notable indicator of Capoae infection is an undetectable system process running or an unusual increase in system resource usage. Also, watch out for strange log entries or artifacts such as SSH keys and files.
Related article: New Android malware infects 10 million users and steals money: full list of apps with GriftHorse trojan found on Google PlayStore