Akamai team had come across a new crypto mining malware campaign targeting Linux systems and web applications by exploiting multiple vulnerabilities and weak credentials configured at the victim machine. The malware dubbed “Capoae” which is written in GO-language with UPX packing seems to be mining cryptocurrency on victim machine once after infecting the system.

Around the same time the news was spreading about these crypto mining malware attacks, SIRT honeypots were infected with PHP malware that arrived via a backdoored addition to a WordPress plugin named download-monitor. Download-monitor had been installed after the honeypot’s weak WordPress admin credentials had been guessed. A 3MB UPX packed Golang binary was also downloaded to /tmp.  Upon examination, it was clear the malware had some decryption functionality and an encrypted file stored in another directory. ” reads the blogpost.

Fig. 10) Packet capture of modification to footer.php

On additional analysis of honeypot access logs, the malware seems to be making a request with obfuscated payload with GET parameter . CyberWorkx news readers can see below that the “dw” argument from below URL is encoded with rot13() and base64 technique.

On decoding the same the value gets transformed into url like below:

To increase the chances of infection, Go-language malware has also seen exploiting multiple remote code execution vulnerabilities on applications like Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030)  along with bruteforcing techniques on SSH protocol for breaking into the systems for the installation of XMRig crypto currency mining software.

After the Capoae malware is executed, it has a pretty clever means of persistence. The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you’d likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself.”

“Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.  When that detonation occurs, this entire process occurs again.  This ensures killing the infection is a bit like playing a game of whack-a-mole, with a constantly moving infection/payload. ” reads the blogpost.

Indicators of Compromise


  • 7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0 Capoae UPX Packed
  • fd8f419f0217be0037ba7ae29baf4c3a08c8f2751b0b1be847b75bd58d6e153f Capoae UPX Unpacked
  • 5a791205bc08396bc413641ea6e5d9fd5ef3f86caf029f51d4da65be700a2b1e ProductList-n3RkIo.php
  • f37cc420165fb809eb34fbf9c8bf13236a0cc35dee210db5883107a08a70f66d class-wp-page-n3RkIo.php
  • 53521fab245023c56cf5562bd562d6ba98445a052155eb2e40c4a13a9343e6eb regexes.php
  • 9ed14f470c95759cc0dca86fd913714b6733af8c0aaa35e3a7ad6604455e2230 sys.i686 UPX Packed
  • af7c5617a89c40aac9eb2e573a37a2d496a5bcaa9f702fa919f86485e857cb74 sys.x86_64 UPX Packed
  • 7eb444671ab338eccadf81d43166661ccb4b1e487836ab41e2245db61dceed31 ldr.sh



Source: Akamai

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s