A new malware has been spotted attacking Linux systems and WordPress installations. The malware called Capoae is rapidly growing as a favorite tool among hackers and threat actors because of its cross-platform capabilities, easy installation and fast infection rate.
Linux and WordPress users should stay aware of the indicators that could signal a Capoae malware attack.
Larry Cashdollar, a senior security researcher at Akamai, discovered this new strain of malware last month. He explained how Capoae exploits bugs and weak administrative credentials on the account to initiate system infection.
What Is Capoae Malware? How Dangerous is it?
Generally, Capoae utilizes CVE-2020-14882, a remote execution bug in the Oracle WebLogic Server, and CVE-2018-20062, another RCE for ThinkPHP. Using this as entry points, Capoae would install cryptocurrency mining software on the infected device. This creates a strain on the system's resource load.
According to Advancetec Solutions, Capoae is not a dangerous malware strain. It is a lot more harmless when compared to payloads like ransomware. However, it is emphasized that Capoae is exploited for cryptocurrency purposes. Technically, nothing prevents hackers from using Capoae for more devastating payloads, execution codes or viruses.
Although no reports were made of dangerous Capoae infections, the threat is evidently there, so users should remain vigilant to the Capoae indicators.
How Does Capoae Malware Attack Linux and WordPress
ZDNet explained in detail how Capoae launches its attack against Linux and WordPress. In their experiment, a Capoae sample was observed targeting an Akamai honeypot.
As previously mentioned, Capoae first exploited CVE-2020-14882 and CVE-2018-20062. A PHP malware was later delivered through a WordPress plugin called Download-monitor. User data and honeypot's lax credentials were immediately obtained through a brute force attack.
The WordPress plugin was then used as a conduit for the main Capoae payload to /tmp, a 3MB UPX packed binary. After being decoded, the newly acquired XMRig is installed and ordered remotely to mine for Monero (XMR) cryptocurrency.
Aside from the cryptocurrency miner, Capoae would also install several web shells, steal user data and upload stolen files to the attacker's system. Lastly, Capoae is capable of detecting open ports which it could exploit on its mining.
Per ZDNet, Cashdollar said "After the Capoae malware is executed, it has a pretty clever means of persistence. The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you'd likely find system binaries."
Cashdollar also explained that Capoae would generate random six-character filename and uses them to copy itself in a new location on the disk and deletes itself. Once done, Capoae injects/updates a Crontab entry that will trigger the execution of this newly created binary.
The most notable indicator for Capoae infection is an unrecognizable system process in operation or an unusual spike in system resource load. Also, keep an eye for strange log entries or artifacts like SSH keys and files.
Related Article: New Android Malware Infects 10 Million Users, Steals Money: Full List of Apps With GriftHorse Trojan Found in Google PlayStore