A new malware dubbed Capoae was spotted in cyberattacks launched against WordPress and Linux systems.
The Capoae malware is written in the Golang programming language. According to Larry Cashdollar, senior security researcher at Akamai, the malware is used by threat actors mainly due to its cross-platform capabilities and it spreads through known bugs and weak administrative credentials.
Vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP.
The malware was spotted after a sample targeted an Akamai honeypot. A PHP malware sample arrived through a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot’s lax credentials had been obtained through a brute-force attack.
This plugin was then used as a conduit to deploy the main Capoae payload to /tmp, a 3MB UPX packed binary, which was then decoded. XMRig is then installed in order to mine for the Monero (XMR) cryptocurrency.
Besides the cryptocurrency miner, several web shells are also installed, one of which is able to upload files stolen from the compromised system. A port scanner is also bundled with the miner to find open ports for further exploitation.
Cashdollar stated that the malware first chooses a legitimate-looking system path from a small list of locations on a disk where system binaries are likely to be found. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.
Capoae will attempt to brute-force attack WordPress installations to spread and may also utilize CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws impacting Jenkins, and infections have been traced to Linux servers.
Major signs of infection include high system resource use, unexpected or unrecognizable system processes in operation, and strange log entries or artifacts, such as files and SSH keys.
Cashdollar recommends not to use weak or default credentials for servers or deployed applications. He suggests to keep the deployed applications up to date with the latest security patches and check in on them from time to time.