An active campaign is exploiting various vulnerabilities and misconfigurations across cloud environments to deploy cryptominers, according to research from Wiz.
The campaign has been dubbed Soco404 due to the attackers embedding payloads in fake 404 error message pages hosted on websites built using Google Sites, a website development tool.
Wiz has reported these malicious sites to Google and they have since been taken down.
The attacker targets both Linux and Windows operating systems, deploying platform-specific malware.
Soco404 is believed to be part of a broader crypto-scam infrastructure, suggesting the attacks are part of a long-term, opportunistic operation.
The report, dated July 23, also highlighted sophisticated approaches used by the hackers to disguise their malicious activity, achieve persistence and deliver the malware.
“Based on the dynamic number of workers linked to the attacker’s crypto wallet within the mining pool, the campaign appears to still be active,” Wiz wrote.
Read now: AI-Generated Lcryx Ransomware Discovered in Cryptomining Botnet
Opportunistic Approach to Exploitation
The researchers noted that the Soco404 attacker appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point to deploy cryptominer malware.
“Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload. This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets,” they commented.
This includes abusing open source database PostgreSQL’s functionality to achieve remote code execution, enabling them to retrieve and execute malicious payloads directly on the host.
Another frequent method observed is the compromise of publicly accessible Apache Tomcat instances, likely via weak credentials.
The attacker has also compromised a legitimate Korean transportation website to deliver payloads.
Malware Persistence and Execution
Linux
Upon successful exploitation in Linux systems, the attacker runs the soco.sh script directly in memory, avoiding disk writes.
This dropper script sets the ground for the main payload.
The downloaded payload initially works to eliminate potential competing miners and forcefully kills processes with separate mount namespaces.
It removes evidence of execution and reduces forensic visibility by overwriting logs.
If the script is running as root, it will attempt to optimize memory performance and maximize CPU efficiency for cryptomining.
A binary is launched to act as a loader for the main payload. Upon execution, the malware unpacks itself into memory and spawns multiple child processes. One of these processes is responsible for re-executing the binary under the name sd-pam in order to masquerade as a legitimate user service that handles pluggable authentication modules (PAM) sessions on Linux systems.
It then connects to the command and control (C2) server which hosts the main payload on a website built using Google sites. When accessed, it displays a fake 404 error page, with the binary embedded within the HTML content as a base64-encoded blob.
The main payload is executed with the names ‘cpuhp/1’ and ‘kworker/R-rcu_p’ to masquerade as kernel related processes.
Once established on the victim’s system, it begins cryptocurrency mining, connecting to a cryptocurrency wallet.
Windows
The Windows payload also goes through a series of processes designed to evade detection.
Following initial access, a Windows binary is executed which acts as a loader that embeds the main payload and the WinRingO.sys driver. Persistence is established by creating a service with a random eight-character uppercase alphabetical name.
It attempts to avoid detection by stopping the Windows event log service.
The binary spawns a conhost.exe process, and injects the main payload into it, creating multiple threads that communicate via TCP sockets.
The malware then begins mining cryptocurrency using the same wallet used by the Linux payload.
