New cryptocurrency malware goes to great lengths to target WordPress servers
Malware uses a mining pool hosted on a Russian VPS company, researchers note
A new strain of cryptomining malware has been spotted in cyberattacks against WordPress installations.
Cybersecurity researchers at Akamai say the malware, dubbed Capoae, is written in the Go programming language, which has become popular with threat actors due to its ability to write easily reusable cross-platform code that runs across Windows 10, Linux, macOS and Android.
Veteran vulnerability researcher Larry Cashdollar has shared details about Capoae, which is particularly interesting since it makes use of multiple vulnerabilities to gain a foothold in WordPress installations, and repurpose them discreetly to mine cryptocurrencies using the popular XMRig mining software.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- These are the best endpoint protection tools
- Here's our choice of the best malware removal software on the market
- Check our list of the best firewall apps and services
“Crypto Mining campaigns are continuing to evolve. The Capoae campaign’s use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,” notes Cashdollar.
New tactics
Cashdollar caught hold of Capoae using a honeypot to lure the PHP malware. The malware made its way into the server by bruteforcing the weak WordPress admin credentials to install a tainted WordPress plugin named download-monitor, which had a backdoor.
After reviewing the honeypot access logs, and the malware itself, the researcher was able to unravel its mode of attack.
His analysis revealed that Capoae exploited at least four different remote code execution (RCE) vulnerabilities, one on Oracle WebLogic Server, another in ThinkPHP, and a couple in Jenkins.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Following the discovery of the new malware, Cashdollar asks all WordPress admins to look for high system resource use in their servers, unrecognizable system processes, and dubious log entries or artifacts, such as suspicious files and SSH keys, which are some of the common signs of intrusions.
“The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here. Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time,” concludes Cashdollar.
- Protect your devices with these best antivirus software
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.