According to researchers, the new CoinStomp malware is mainly targeting cloud service providers based in Asia.
The IT security researchers at London, United Kingdom-based Cado Security have revealed details of a new malware family mainly targeting Asian cloud service providers to conduct cryptocurrency mining.
According to Matt Muir of Cado Security, the attackers are using CoinStomp malware in a highly sophisticated campaign designed to exploit CPU resources of targeted devices to mine cryptocurrency.
The malware comprises shell scripts that try to control “cloud computing instances hosted by cloud service providers” cryptomining, Cado Security’s blog post read.
The attack tactics of this campaign include timestomping, removing system cryptographic policies, and initiating C2 communications with the malicious software using a reverse shell. The script then downloads/executes new payloads as system-wide services with root privileges, including binaries to create backdoors and a custom XMRig version, a Monero mining software.
On the other hand, CoinStomp also issues commands to eliminate cryptographic policy files on a system and may even kill cryptographic processes.
About CoinStomp Capabilities
CoinStamp boasts several unusual capabilities. Such as, it relies on timestomping commands Linux systems to update file modification and access time. The malware also tampers with Linux server cryptographic policies, which can otherwise prevent malicious executables from being installed or executed on the system.
CoinStomp’s developer included this feature to disable system-wide cryptographic policies using a single Kill command, noted Cado Security.
The researchers further examined clues in code that hinted towards the involvement of a cryptojacking group called Xanthe. This group is connected to the Abcbot Botnet.
However, the company claims that the clue, which they discovered in a defunct payload URL, is insufficient to establish the involvement of Xanthe as it could very well be an attempt to “foil attribution.”
“CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space. Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures but also an understanding of the incident response process.”Cado Security
More cryptomining malware news: