A new malware has been found targeting WordPress and Linux systems. The malware is written in GoLang and is quickly gaining popularity among cybercriminals. It has cross-platform features and spreads via known flaws and weak admin credentials.
What has happened?
Researchers from Akamai first detected the Capoae malware after it targeted one of their honeypots. It has the ability to write reusable cross-platform code that supports Linux, Android, Linux, and Windows 10.
At first, a PHP malware is delivered using a backdoor associated with the Download-Monitor WordPress plugin, which was installed after brute-forcing weak credentials.
The plugin is used as a medium to deliver the main Capoae payload (which is 3MB UPX packed binary) at /tmp location and then decoded. After that, XMRig is installed to mine Monero.
Besides the miner, various web shells are deployed for different purposes including one for uploading stolen files.
Moreover, the malware also contains a port scanner to find open ports and services for further exploitation.
The visible indicators of infection include high system resource use, unknown system processes running, and unusual log entries/artifacts(e.g. files/SSH keys).
The exploitation of known bugs and persistence tricks
The analysis by researchers has revealed that Capoae had exploited around four different RCE vulnerabilities.
Capoae uses brute-force attacks on WordPress installations to propagate and abuse RCE flaws (CVE-2019-1003029/CVE-2019-1003030) in Jenkins systems hosted on Linux machines.
For persistence, it uses a system path that looks legitimate from a small list of locations on a disk that is usually found to have system binaries. It then creates a random six-character filename.
Then, it uses the path and file names to copy itself at the random location on the disk and removes itself from the current location. Further, it updates or injects a Crontab entry to start the execution of the newly created binary.
Capoae malware is using common tricks, such as exploitation of outdated applications and breaking in via weak or default passwords. Therefore, experts recommend users never use weak or default credentials for deployed applications. Moreover, it is very important to ensure that all applications are updated with the latest security patches.