A new strain of malware, written in Go language, has been observed in attacks against WordPress and Linux systems.
A new type has been described by Larry Cashdollar, the senior security researcher at Akamai. The malware mainly targeted unpatched systems and at users with weak credentials. It is written in Go, which is fast becoming a go-to malware language with threat actors due to its cross-platform capabilities.
Capoae was observed exploiting CVE-2020-14882, a remote code execution bug in Oracle WebLogic Server, and CVE-2018-20062, another remote code execution bug in ThinkPHP.
Capoae’s PHP malware sample was first spotted when it was caught in an Akamai honeypot. The initial entry was achieved through a vulnerability in a WordPress plugin known as Download-monitor. The plugin was then used to deploy the main Capoae binary to /tmp, and it was then decoded and XMRig was installed to mine for the Monero (XMR) cryptocurrency.
Aside from the miner, web shells were also installed to allow remote exploitation. Another feature of the miner was a port scanner, which could detect open ports.
“After the Capoae malware is executed, it has a pretty clever means of persistence,” Cashdollar says. “The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you’d likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.”
Capoae will try to spread by brute-force attacks against WordPress installations. He has also used CVE-2019-1003029 and CVE-2019-1003030 RCE flaws in the past.
Capoae campaign highlights “just how intent these operators are on getting a foothold on as many machines as possible,” Cashdollar said.
The IoCs include unexpected system resource use, unrecognizable system processes, and unrecognizable log entries or artifacts, such as files and SSH keys.
“The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here,” Cashdollar commented. “Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time.”