1. 云图网首页
  2. 技术专区
  3. 智能运维

How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware?

智能运维

Cyber security researchers discovered a malware campaign that abused a word press plugin to deliver a new Capoae malware. Let’s see things research has uncovered about the new Capoae malware before we jump right on to it. Let’s see what crypto-mining malware is.

What Is Crypto Mining Malware Or Crypto Jacking?

Giving explanations on crypto-jacking or crypto mining is not that simple task. You must know what cryptocurrencies are and how cryptocurrencies are mined to understand what crypto-jacking is.

In simple words, cryptocurrencies are digital currencies that work on blockchain technology. Blockchains are made up of series of blocks. A block is constructed by solving complex mathematical puzzles. A massive amount of computing resources are required to solve puzzles. This process of constructing a block is called mining. Practically, a massive amount of computing resources are required to mine blockchains. Thousands and thousands of computers are needed to mine a block. The first who mine the block will be rewarded with some percentage of the cryptocurrency of the block (transaction).

Crypto miners are always in need of computing resources to win the race. So some bad crypto miners try to compromise other machines so that they can allegedly install the mining agents or malware on other computers to utilize their computing resources to win the race. This process of hijacking other computing resources is called crypto-jacking.

What Is The New Capoae Malware?

Capoae Malware is a PHP malware named “Capoae” referring to a Russian word “Сканирование” meaning “Scanning”. The malware’s primary target machines are prone to the known vulnerabilities and weak administrative credentials. Once they’ve been infected, they are used to mine cryptocurrencies.

How Attackers Used The New Capoae Malware To Deliver The Crypto Mining Malware?

  1. The campaign begins with the infection of PHP malware through a backdoor via a word press plugin named download-monitor.
  2. Upon downloading the Download-monitor plugin, attackers install the plugin by targeting the known vulnerabilities and weak passwords.
  3. After the installation of the plugin, it downloads a 3 MB binary file to /tmp, which is written in Golang and packed in UPX packers.
  4. That payload is developed to perform port scanning to find open ports and services, brute force attacks on the target systems running SSH, and loaded with exploits of several well-known vulnerabilities: CVE-2020-14882CVE-2018-20062CVE-2019-1003029, and CVE-2019-1003030.

How To Protect From The New Capoae Malware?

Follow some of the basic guidelines which could play a vital role in protecting you from the new Capoae malware:

  1. The best protection against crypto miners is using a good anti-malware solution. Most of the anti-malware solutions are able to detect crypto-jacking malware.
  2. Monitor the health of your devices and system resources like CPU and GPU performances. Isolate the system from the internet and flash it if required.
  3. Block the IOCs at the network level. Block the domains/IP addresses on your firewall or Wi-Fi router.
  4. Disable the unwanted port and services.
  5. Don’tDon’t download anything from untrusted sources and unsigned software.

New Capoae Malware IOCs:

SHA256SUM

IPs

  • 198.100.145.141
  • 23.238.128.118
  • 69.12.66.218
  • 207.126.93.190

Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270045.html

(0)
0
上一篇 2022年6月24日
下一篇 2022年6月24日

相关推荐

发表回复

登录后才能评论