Sophisticated Linux Malware Exploits Apache2 Web Servers
Rising Threat of Linux Malware Targeting Apache2
A new sophisticated Linux malware campaign uncovered in March 2024 is exploiting vulnerabilities in Apache2 web servers, posing serious risks to organizations failing to implement timely updates and security measures. This campaign targets servers with remote code execution (RCE) and path traversal flaws, enabling attackers to deploy malicious tools such as KAIJI (DDoS attacks), RUDEDEVIL (cryptocurrency miner), and custom malware to infiltrate vulnerable systems. With Apache’s wide usage, this presents a significant threat to web hosting environments.
Advanced Techniques for Persistence and Evasion
Attackers have demonstrated a deep understanding of Linux systems, leveraging a variety of advanced persistence mechanisms, such as GSOCKET for encrypted communication disguised as kernel processes. By modifying Systemd services, SysVinit scripts, and bash profiles, the attackers ensured their foothold in compromised systems. They also exploited the well-known CVE-2021-4034 (pwnkit) vulnerability for privilege escalation. These tactics allowed the malware to evade detection while continuing its malicious activities undisturbed.
Mining Cryptocurrency and Obfuscating Activities
The malware campaign’s ultimate goal appeared to be cryptocurrency mining, utilizing tools like XMRIG to exploit system resources. Attackers used cron jobs to execute scripts that connected to mining pools, such as unmineable[.]com, for Bitcoin mining. To avoid detection, the malware disguised its processes and communication channels, including the use of SSL connections masqueraded as kernel processes like [mm_percpu_wq].
Recommendations for Mitigation
Organizations using Apache2 web servers are advised to apply security patches promptly and harden system defenses by disabling unnecessary services, configuring firewalls, and monitoring network traffic for abnormal activities. Deploying two-factor authentication and regularly auditing system configurations can reduce the risk of exploitation.
Click below and ‘share’ this article!