New Go malware Capoae targets WordPress installs, Linux systems

A new strain of malware, written in Go, has been spotted in cyberattacks launched against WordPress and Linux systems. 

On Thursday, Larry Cashdollar, senior security researcher at Akamai said the malware, dubbed Capoae, is written in the Golang programming language -- fast becoming a firm favorite with threat actors due to its cross-platform capabilities -- and spreads through known bugs and weak administrative credentials. 

Vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP.

The malware was spotted after a sample targeted an Akamai honeypot. A PHP malware sample arrived through a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot's lax credentials had been obtained through a brute-force attack.

This plugin was then used as a conduit to deploy the main Capoae payload to /tmp, a 3MB UPX packed binary, which was then decoded. XMRig is then installed in order to mine for the Monero (XMR) cryptocurrency.

Alongside the cryptocurrency miner, several web shells are also installed, one of which is able to upload files stolen from the compromised system. In addition, a port scanner has been bundled with the miner to find open ports for further exploitation. 

"After the Capoae malware is executed, it has a pretty clever means of persistence," Cashdollar says. "The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you'd likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary."

Capoae will attempt to brute-force attack WordPress installations to spread and may also utilize CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws impacting Jenkins, and infections have been traced to Linux servers. 

Cashdollar said that the Capoae campaign highlights "just how intent these operators are on getting a foothold on as many machines as possible."

Major signs of infection include high system resource use, unexpected or unrecognizable system processes in operation, and strange log entries or artifacts, such as files and SSH keys.

"The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here," Cashdollar commented. "Don't use weak or default credentials for servers or deployed applications. Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time."

In a second blog post, Akamai has also examined the evolution of Kinsing, malware that utilizes known vulnerabilities in unpatched systems to operate and spread a cryptocurrency mining botnet. 

According to researcher Evyatar Saias, Kinsing was first spotted in February by Akamai and, at first, only targeted Linux. However, a recent upgrade has allowed the botnet to also strike Windows systems across the Americas, Asia, and Europe.

Previous and related coverage

• 170 Android cryptocurrency mining scam apps steal $350 000 from users
  
• Thousands of PS4s seized in Ukraine in illegal cryptocurrency mining sting
  
• Does cybercrime impact cryptocurrency prices? Researchers find out
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0