A recently evolved Linux cryptocurrency-mining malware is now targeting cloud service providers (CSPs), mainly Huawei Cloud. The new Linux malware technique removes applications from Huawei Cloud by deploying malicious code. It disables a Linux agent process hostgaurd service which is responsible for detecting security issues in the system.

Code that disables hostgaurd on Huawei Cloud; source Trend Micro

A version of the Linux malware was previously used to target container environments in 2020 but has now evolved to aim Cloud environments. Recent advancement in their campaign is that threat actors have been able to kill off their competition from an infected system and update their keys with the help of specific public keys. Once its infection routine is carried out, it runs a simple but effective command to clean up any traces left.

While calling the file functions, it performs an initial connectivity check and ensures outgoing connections are allowed, and then checks if the DNS servers are public. Such an order of operations is commonly used where malicious URLs are requested to remain undetected.

After the first connectivity check, it removes any traces of infections made by competitors while accessing the infected system.

They make sure to remove their competitors’ users before creating their own. Several numbers of users using generic names such as ‘system’ or ‘logger’ while targeting cloud environments were made. While these users are created, a script adds them to the sudo-list that permits administrative powers. An intriguing process of this campaign is that it installs the Onion Router proxy service used by payloads to anonymize connections made by the malware.

###Payload functionality

Executable linkable format binaries (ELF) that are deployed: linux64_shell and xlinux

• linux64_shell

Ultimate Packer for executables (UPX) has been used here; the binary was tampered with to make analysis harder. Additional binary was appended to the CrossC2 communication library that interacts directly with CobaltStrike’s module. After is it successfully unpacked, the malware tries to connect to C2 with the IP address 45[.]76[.]220[.]46 on port 40443

Appended Binary File

• xlinux

The Second binary acts as a vulnerability scanner that looks for bugs to exploit and deploys the initial malicious script. It implements several modules from the kunpeng framework.

The binary notifies the threat actors about the infected machine through an HTTP POST request to the URL 103[.]209[.]103[.]16:26800/api/postip

The malware copies itself onto the /tmp/iptablesupdate and runs a script

The binary runs a vulnerability scan to find a weakness to exploit and later deploy its payload.

####Example of integrated exploit

Vulnerabilities and security weakness the binary scans for according to Trend Micro

• SSH weak passwords
• Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (CVE-2020-14882)
• Redis unauthorized access or weak passwords
• PostgreSQL unauthorized access or weak password
• SQLServer weak password
• MongoDB unauthorized access or weak password
• File transfer protocol (FTP) weak password

Trend Micro believes that misconfigurations are a common point of intrusion, and cloud users should equal attention to vulnerabilities and malware. Permissive configurations will allow an attacker to infiltrate a system without having to exploit weaknesses.