Capoae, a new malware, has been discovered in cyberattacks targeting WordPress and Linux systems.
The Capoae Trojan is written in the Golang programming language. According to Larry Cashdollar, senior security researcher at Akamai, threat actors utilise the virus mostly because of its cross-platform capabilities, and it spreads via known flaws and weak administrative credentials. CVE-2020-14882, a remote code execution (RCE) vulnerability in Oracle WebLogic Server, and CVE-2018-20062, another RCE flaw in ThinkPHP, are among the vulnerabilities exploited by Capoae.
The malware was discovered after a sample was sent to an Akamai honeypot. A PHP malware sample was sent via a backdoor tied to the Download-monitor WordPress plugin, which was deployed after the honeypot’s lax credentials were stolen via a brute-force attack. This plugin was then used to send the primary Capoae payload, a 3MB UPX compressed binary, to /tmp, where it was decoded. After that, XMRig is installed to mine for the Monero (XMR) cryptocurrency.
In addition to the cryptocurrency miner, numerous web shells are installed, one of which is capable of uploading files stolen from the infected system. A port scanner is included with the miner to help locate open ports that can be exploited further. The malware analyses a legitimate-looking system path from a small list of locations on a disc where system binaries are likely to be found, according to Cashdollar. It then produces a six-character filename at random and uses these two bits to replicate itself to a new position on the disc before deleting itself. After that, it injects/updates a Crontab entry that will cause the newly produced binary to be executed.
Capoae will attempt to propagate by brute-forcing WordPress installations and may also use CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE weaknesses affecting Jenkins that have been linked to infections on Linux servers.
High system resource usage, unexpected or unidentifiable system processes in operation, and weird log entries or artifacts, such as files and SSH keys, are all symptoms of infection. Cashdollar advises against using weak or default credentials on servers or deployed applications. He advises that deployed applications be kept up to current with the newest security updates and that they be checked in on a regular basis.
You might also like: