Threat Database Malware Capoae Malware

Capoae Malware

A new malware strain is being used in active attack campaigns to deliver crypto-mining payloads onto compromised systems. The threat was named Capoae, and, according to the findings, Capoae is written using the Go language, which is becoming a popular choice in cybercriminal circles due to its cross-platform capabilities. 

As initial vectors of compromise, the threat actors employ brute-force attacks again systems with weak credentials, while also exploiting several known vulnerabilities. More specifically, Capoae relies on CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, CVE-2018-20062, another RCE but this time in ThinkPHP. The threat may be utilizing two RCE vulnerabilities in Jenkins as well that are tracked as CVE-2019-1003029 and CVE-2019-1003030. 

Threatening Capabilities

As such, Capoae is capable of infecting WordPress installations and Linux systems. The final payload delivered to the breached systems is an XMRig variant that will hijack the victim's resources to mine for Monero coins, one of the more popular cryptocurrencies. However, alongside the miner, various other web shells also are deployed. They expand the nefarious actions available to the threat actors. One, for example, is tasked with collecting files from infected systems. A port scanner is then initiated and looks for open ports to facilitate the further proliferation of the Capoae malware. 

To ensure its continued presence, the threat is equipped with a novel persistence mechanism. First, Capoae will pick a seemingly legitimate system path from a list of potential locations. Then, it will generate a new filename consisting of six random characters and copy itself to the selected location. The old binaries of the malware are then deleted. The final step is to either inject a new or update an existing Crontab entry that will execute the newly generated file. 

Typical symptoms of a Capoae infection include abnormal usage of system resources, strange or unexpected system processes running in the background, or unfamiliar artifacts left on the system such as SSH keys or small files.

Trending

Most Viewed

Loading...