Capoae Uses Known Tricks to Target Linux and Windows

What has happened?

• At first, a PHP malware is delivered using a backdoor associated with the Download-Monitor WordPress plugin, which was installed after brute-forcing weak credentials.
• The plugin is used as a medium to deliver the main Capoae payload (which is 3MB UPX packed binary) at /tmp location and then decoded. After that, XMRig is installed to mine Monero.
• Besides the miner, various web shells are deployed for different purposes including one for uploading stolen files. 
• Moreover, the malware also contains a port scanner to find open ports and services for further exploitation.
• The visible indicators of infection include high system resource use, unknown system processes running, and unusual log entries/artifacts(e.g. files/SSH keys).

The exploitation of known bugs and persistence tricks

• Capoae uses brute-force attacks on WordPress installations to propagate and abuse RCE flaws (CVE-2019-1003029/CVE-2019-1003030) in Jenkins systems hosted on Linux machines.
• In addition, it targets CVE-2020-14882 in WebLogic Server and CVE-2018-20062 in ThinkPHP.
• For persistence, it uses a system path that looks legitimate from a small list of locations on a disk that is usually found to have system binaries. It then creates a random six-character filename.
• Then, it uses the path and file names to copy itself at the random location on the disk and removes itself from the current location. Further, it updates or injects a Crontab entry to start the execution of the newly created binary.

Conclusion