Cryptomining software has already gained notoriety for being the most common malicious software around the globe. They affect systems ranging from IoT devices to computers, to server farms. Three of the most active threats are cryptojacking malware. Adding to this growing list is another similar malware but much more harmful. The newly detected threat has the ability to disable cloud security software in order to avoid detection and continue with its illicit mining for cryptocurrency without being discovered.
Not surprisingly, the threat belongs to the family of Monero cryptomining malware and is related to Xbash. Monero remains the hackers’ favorite platform mainly because it is private, so hackers do not need to worry about companies and law enforcement tracking what they do with the Monero after they mine it.
The threat was detected by the security company Palo Alto Network’s research division Unit 42. The researchers at the unit claim that it is perhaps the first time that they have witnessed a technique of this kind. They have detailed the technical capabilities of the campaign.
This new threat has been reported to target public cloud infrastructure running on Linux servers. The malware is usually snuck into the system by exploiting vulnerabilities in Adobe ColdFusion, Apache Struts 2 and, Oracle WebLogic. The malware does not exhibit any kind of malicious behavior as it breaks into the system. Once they gain administrative control over the hosts, they force it to uninstall or disable security functions like a legitimate system administrator would do. By shutting down cloud security services allows the malware to continue mining for cryptocurrency without ever being detected.
Though, not all forms of security software are being targeted. This threat has been particularly seeking out only a few of the cloud security products. Five different cloud security products reported to be targeted by this malware include the ones by Chinese firms Tencent and Alibaba.
‘Defeating cryptocurrency miners being delivered via malware proves to be a difficult task, as many malware authors will limit the CPU utilization, or ensure that mining operations only take place during specific times of the day or when the user is inactive. Additionally, the malware itself is delivered via a large number of methods, requiring defenders to have an in-depth approach to security’ Josh Grunzweig of Palo Alto Network had said earlier.