Cybersecurity researchers have discovered a new campaign that operates a known security defect impacting Apache http server to deliver a cryptocurrency minor called Linuxsys.
The vulnerability in question is the CVE-2021-41773 (CVSS score: 7.5), high severity Vulnerability of crossing In Apache http server version 2.4.49, this could lead to a remote code execution.
“The attacker makes fun of the legitimate compromise websites to distribute malicious software, allowing furtive delivery and the escape of detection” said In a relationship shared with the hacker news.
The infection sequence, observed earlier this month and from an Indonesian IP address 103.193.177 (.) 152is designed to delete a payload at the next stage of “restitorylinux (.) Org” using curl or wget.
The payload is a shell script responsible for downloading the Linuxsys cryptocurrency minor from five different legitimate websites, suggesting that threat actors behind the campaign managed to compromise the third-party infrastructure to facilitate the distribution of malicious software.
“This approach is intelligent because the victims connect to legitimate hosts with valid SSL certificates, which makes detection less likely,” said Vulcheck. “In addition, it provides a separation layer for the downloader’s site (‘Restitylinux (.) Org’) because the malware itself is not hosted.”
The sites also host another Shell script called “Cron.sh” which guarantees that the minor is automatically launched during a system restart. The cybersecurity company said it also identified two Windows executables on hacked sites, which increases the possibility that attackers are also continuing the Microsoft desktop operating system.
It should be noted that the attacks distributing minor Linuxsys have already exploited a critical security flaw in Osgeo Geoserver Geotools (CVE-2024-36401, CVSS score: 9.8), as the Documente Fortinet Fortiguard Labs in September 2024.
Interestingly, the Shell script fell after the exploitation of the flaw was downloaded from “restitorylinux (.) Com”, with comments in the written source code in Sunday, an Indonesian language. The same shell script was detected in nature from December 2021.
Some of the other vulnerabilities used to deliver the minor in recent years include –
- CVE-2023-22527, a model injection vulnerability in the Atlassian Confluence Data Center and the Confluence server
- CVE-2023-34960A command injection vulnerability in Chamilo learning management systems (LMS)
- CVE-2023-38646, an order injection vulnerability in metabase
- CVE-2024-0012 and CVE-2024-9474are vulnerabilities of authentication and climbing climbing in Palo Alto Networks firewalls
“All this indicates that the attacker has led a long -term campaign, employing coherent techniques such as the exploitation of days, the staging of the content of compromise hosts and the exploitation of coins on victims,” said Vulcheck.
“Part of their success comes from careful targeting. They seem to avoid honey pots with low interaction and require high interaction to observe their activity. Combined with the use of compromised hosts for the distribution of malicious software, this approach has largely helped the attacker to avoid the exam.”
Exchange servers targeted by the GhostContainer rear door
Development arrives as Kaspersky disclosed Details of a campaign that targets government entities in Asia, probably with an N-Day security flaw in Microsoft Exchange Server, to deploy a custom-made stoked door Counterpart. It is suspected that the attacks may have exploited a distant code execution bug now set in Exchange Server (CVE-2020-0688, CVSS Score: 8.8).
The “sophisticated and multifunctional stolen door” can be “dynamically extended with arbitrary functionalities thanks to the download of additional modules”, said the Russian company, adding “the stolen door grants the total control of attackers on the exchange server, which allows them to carry out a range of malicious activities”.
Malware is equipped to analyze the instructions that can execute Shellcode, download files, read or delete files, run arbitrary commands and load the additional byte code. It also incorporates a proxy and tunneling web module.
It is suspected that activity could be part of an advanced persistent threat campaign (APT) aimed at high -value organizations, including high -tech companies in Asia.
We do not know much about who is at the origin of attacks, although they are assessed as highly qualified because of their in-depth understanding of the Microsoft exchange server and their ability to transform the code accessible to the public into advanced espionage tools.
“The Ghostcontainer stolen door does not have any connection to any infrastructure (order and control),” said Kaspersky. “Instead, the attacker connects to the exterior compromised server, and their control orders are hidden in normal web requests.”
