Cybersecurity researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys.
The vulnerability in question is CVE-2021-41773 (CVSS score: 7.5), a high-severity path traversal vulnerability in Apache HTTP Server version 2.4.49 that could result in remote code execution.
"The attacker leverages compromised legitimate websites to distribute malware, enabling stealthy delivery and evasion of detection," VulnCheck said in a report shared with The Hacker News.
The infection sequence, observed earlier this month and originating from an Indonesian IP address 103.193.177[.]152, is designed to drop a next-stage payload from "repositorylinux[.]org" using curl or wget.
The payload is a shell script that's responsible for downloading the Linuxsys cryptocurrency miner from five different legitimate websites, suggesting that the threat actors behind the campaign have managed to compromise third-party infrastructure to facilitate the distribution of the malware.
"This approach is clever because victims connect to legitimate hosts with valid SSL certificates, making detection less likely," VulnCheck noted. "Additionally, it provides a layer of separation for the downloader site ('repositorylinux[.]org') since the malware itself isn't hosted there."
The sites also host another shell script named "cron.sh" that ensures that the miner is launched automatically upon a system reboot. Cybersecurity firm said it also identified two Windows executables on the hacked sites, raising the possibility that the attackers are also going after Microsoft's desktop operating system.
It's worth noting that attacks distributing the Linuxsys miner have previously exploited a critical security flaw in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8), as documented by Fortinet FortiGuard Labs in September 2024.
Interestingly, the shell script dropped following the exploitation of the flaw was downloaded from "repositorylinux[.]com," with comments in the source code written in Sundanese, an Indonesian language. The same shell script has been detected in the wild as far back as December 2021.
Some of the other vulnerabilities exploited to deliver the miner in recent years include -
- CVE-2023-22527, a template injection vulnerability in Atlassian Confluence Data Center and Confluence Server
- CVE-2023-34960, a command injection vulnerability in Chamilo Learning Management Systems (LMS)
- CVE-2023-38646, a command injection vulnerability in Metabase
- CVE-2024-0012 and CVE-2024-9474, are authentication bypass and privilege escalation vulnerabilities in Palo Alto Networks firewalls
"All of this indicates that the attacker has been conducting a long-term campaign, employing consistent techniques such as n-day exploitation, staging content on compromised hosts, and coin mining on victim machines," VulnCheck said.
"Part of their success comes from careful targeting. They appear to avoid low interaction honeypots and require high interaction to observe their activity. Combined with the use of compromised hosts for malware distribution, this approach has largely helped the attacker avoid scrutiny."
Exchange Servers Targeted by GhostContainer Backdoor
The development comes as Kaspersky disclosed details of a campaign that's targeting government entities in Asia, likely with a N-day security flaw in Microsoft Exchange Server, to deploy a bespoke backdoor dubbed GhostContainer. It's suspected that the attacks may have exploited a now-patched remote code execution bug in Exchange Server (CVE-2020-0688, CVSS score: 8.8).
The "sophisticated, multi-functional backdoor" can be "dynamically extended with arbitrary functionality through the download of additional modules," the Russian company said, adding "the backdoor grants the attackers full control over the Exchange server, allowing them to execute a range of malicious activities."
The malware is equipped to parse instructions that can execute shellcode, download files, read or delete files, run arbitrary commands, and load additional .NET byte code. It also incorporates a web proxy and tunneling module.
It's suspected that the activity may have been part of an advanced persistent threat (APT) campaign aimed at high-value organizations, including high-tech companies, in Asia.
Not much is known about who is behind the attacks, although they are assessed to be highly skilled owing to their in-depth understanding of Microsoft Exchange Server and their ability to transform publicly available code into advanced espionage tools.
"The GhostContainer backdoor does not establish a connection to any [command-and-control] infrastructure," Kaspersky said. "Instead, the attacker connects to the compromised server from the outside, and their control commands are hidden within normal Exchange web requests."
