The Capoae malware installs a backdoor plugin on WordPress sites

Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

Expert Larry Cashdollar warns that the main tactic of such malware is spreading through vulnerable systems, as well as cracking unreliable administrator credentials. The studied sample of the malware Keshdollar named Capoae.

ASCII

download-monitor

This malware is delivered to hosts running WordPress via the download-monitor plugin with a backdoor, which cybercriminals install on sites after successfully brute-forcing credentials.

The attack also involves deploying a binary to Golang, whereby the obfuscated payload is retrieved via a GET request, which the malicious plugin makes to the attacker’s domain.

The malware can also decrypt and execute other payloads: basically, the Golang binary exploits various RCE vulnerabilities in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062) and Jenkins (CVE-2019-1003029CVE-2019-1003030) in order to brute force and not only work its way into the system and ultimately launch the XMRig miner.

Attackers do not forget that they need to act unnoticed. To do this, they use the most suspicious-looking paths on the disk and directories where real system files can be found, and also create a file with a random six-digit name, which is then copied to another location (before deleting the malware after execution).

The use of multiple vulnerabilities and tactics in the Capoae campaign underscores how seriously the operators [of this malware] intend to gain a foothold in as many systems as possible. The good news is that the same security methods that we recommend for most organizations still work here. Do not use weak or default credentials for servers or applications deployed there. Make sure to keep your applications up to date with the latest security fixes and check them from time to timethe expert sums up.

Let me remind you that I also wrote that Researchers warned of new DarkRadiation ransomware.

黑尔加·史密斯

我一直對電腦科學感興趣, 尤其是數據安全和主題, 而家被稱為 "數據科學", 由我十幾歲開始. 在進入病毒清除團隊擔任主編之前, 我曾喺多傢公司擔任網絡安全專家, 包括亞馬遜嘅承包商之一. 另一種體驗: 我在雅頓大學同雷丁大學任教.

留言

本網站使用Akismet嚟減垃圾郵件. 瞭解如何處理評論數據.

“返回頂部”按鈕