A bizarre new Linux malware can be found hiding in cute animal photos

News
By published

That cute panda pic? It's actually a cryptominer

Bitcoin
  • Hackers seen targeting misconfigured JuypterLab instances
  • They host malware in polyglot files on image sharing sites
  • The Koske malware mines different crypto tokens

Security researchers recently discovered a new Linux malware hiding in pictures of cute animals.

Cybersecurity experts from AquaSec recently found a piece of malware called Koske circulating around the web. It relies on polyglot files - documents that can be read and processed differently, depending on the type of program running them.

The threat actors were apparently targeting JupyterLab instances exposed to the internet, and misconfigured in a way that allows remote command execution. After finding and accessing such endpoints, the attackers would pull .JPEG files from legitimate image hosting services such as OVH images, freeimage, or postimage. The pictures were of AI-generated panda bears, innocuous at first sight.

Serbian hackers?

Through a script interpreter, the images are turned into a CPU and GPU-optimized cryptocurrency miners, using the server’s resources to generate more than 18 types of crypto tokens.

Cryptocurrency “mining” is essentially a process of supporting a blockchain network. In exchange for lending electricity, internet, and computing power to support the grid, users are given cryptocurrency tokens whose value depends on different things such as the number of users, the number of tokens in circulation, and the cost of mining.

Mining crypto this way generates relatively little profit for the attackers, some researchers said, while raking up huge costs for the victims - cloud compute power and electricity are often quite expensive.

AquaSec could not attribute the malware to a specific group definitively, but it did say that it found Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners.

In that context, the name of the malware would make some sense, since the word “Koske” in colloquial or dialectal form means “bones”.

The researchers believe that besides the image, the malware itself was written with the help of large language models (LLM) or automation frameworks.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.