CoinStomp Malware

CoinStomp is a new malware family that appears to be designed to infect Cloud services and then use their resources to mine for cryptocurrency. These attacks have become to be known as cryptojacking. Details about this particular malware threat were revealed to the public in a report by Cado Security.

According to their findings, CoinStomp consists of shell scripts that try to exploit Cloud computer instances belonging to various Cloud service providers largely. So far, most CoinStomp targets have been Cloud providers located in Asia. The researchers found a reference to the cryptojacking threat actor tracked as Xanthe in a defunct payload URL. However, this fact alone is not enough to support attributing the threat with high confidence to the cybercriminal group. Furthermore, it may have been left by the real culprits as an attempt to through security researchers off.

Threatening Capabilities

CoinStomp is equipped with several anti-detection techniques. The most prominent one revolves around 'time-stomping,' a method for manipulating timestamps via the Linux touch command. Doing so allows the attackers to hide instances where the chmod and chattr utilities were used.

In addition, the threat also will try to weaken the targeted Linux server by stopping its cryptographic policies. The purpose of these policies is to protect the system from malware threats being dropped and executed on it. To facilitate the intrusive actions of the CoinStomp malware, its creators have added a routine that uses a kill command to disable the system-wide cryptographic policies.

CoinStomp opens a reverse shell to establish communication with its Command-and-Control (C2, C&C) server. If successful, the attackers can then use the threat to deliver additional threatening payloads, including binaries for more powerful backdoors and a customized version of XMRig, a Monero crypto-mining software. The next-stage payloads will be run as system-wide systemd services and will be given root privileges.