Skip to main content

New cryptocurrency malware goes to great lengths to target WordPress servers

Crypto mining
(Image credit: Shutterstock / Yevhen Vitte)

A new strain of cryptomining malware has been spotted in cyberattacks against WordPress installations. 

Cybersecurity researchers at Akamai say the malware, dubbed Capoae, is written in the Go programming language, which has become popular with threat actors due to its ability to write easily reusable cross-platform code that runs across Windows 10, Linux, macOS and Android

Veteran vulnerability researcher Larry Cashdollar has shared details about Capoae, which is particularly interesting since it makes use of multiple vulnerabilities to gain a foothold in WordPress installations, and repurpose them discreetly to mine cryptocurrencies using the popular XMRig mining software.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Crypto Mining campaigns are continuing to evolve. The Capoae campaign’s use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,” notes Cashdollar.

New tactics

Cashdollar caught hold of Capoae using a honeypot to lure the PHP malware. The malware made its way into the server by bruteforcing the weak WordPress admin credentials to install a tainted WordPress plugin named download-monitor, which had a backdoor.

After reviewing the honeypot access logs, and the malware itself, the researcher was able to unravel its mode of attack.

His analysis revealed that Capoae exploited at least four different remote code execution (RCE) vulnerabilities, one on Oracle WebLogic Server, another in ThinkPHP, and a couple in Jenkins.

Following the discovery of the new malware, Cashdollar asks all WordPress admins to look for high system resource use in their servers, unrecognizable system processes, and dubious log entries or artifacts, such as suspicious files and SSH keys, which are some of the common signs of intrusions. 

“The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here. Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time,” concludes Cashdollar.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.