New cryptocurrency malware goes to great lengths to target WordPress servers

Crypto mining
(Image credit: Shutterstock / Yevhen Vitte)
Audio player loading…

A new strain of cryptomining (opens in new tab) malware has been spotted in cyberattacks against WordPress (opens in new tab) installations. 

Cybersecurity (opens in new tab) researchers at Akamai (opens in new tab) say the malware (opens in new tab), dubbed Capoae, is written in the Go programming language, which has become popular with threat actors due to its ability to write easily reusable cross-platform code that runs across Windows 10 (opens in new tab), Linux (opens in new tab), macOS (opens in new tab) and Android (opens in new tab)

Veteran vulnerability researcher Larry Cashdollar has shared details (opens in new tab) about Capoae, which is particularly interesting since it makes use of multiple vulnerabilities to gain a foothold in WordPress installations (opens in new tab), and repurpose them discreetly to mine cryptocurrencies using the popular XMRig mining software.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

“Crypto Mining campaigns are continuing to evolve. The Capoae campaign’s use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,” notes Cashdollar.

New tactics

Cashdollar caught hold of Capoae using a honeypot to lure the PHP malware. The malware made its way into the server by bruteforcing the weak WordPress admin credentials to install a tainted WordPress plugin named download-monitor, which had a backdoor.

After reviewing the honeypot access logs, and the malware itself, the researcher was able to unravel its mode of attack.

His analysis revealed that Capoae exploited at least four different remote code execution (RCE) vulnerabilities, one on Oracle WebLogic Server, another in ThinkPHP, and a couple in Jenkins.

Following the discovery of the new malware, Cashdollar asks all WordPress admins to look for high system resource use in their servers, unrecognizable system processes, and dubious log entries or artifacts, such as suspicious files and SSH keys, which are some of the common signs of intrusions. 

“The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here. Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time,” concludes Cashdollar.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.