The cybersecurity firm Wiz has recently uncovered an active campaign that is taking advantage of vulnerabilities and misconfigurations in cloud environments to deploy cryptominers. This campaign, known as Soco404, involves the attackers embedding malicious payloads in fake 404 error message pages that are hosted on websites created using Google Sites.
Wiz has promptly reported these malicious sites to Google, which has taken them down. The attackers behind Soco404 are targeting both Linux and Windows operating systems, deploying malware that is specific to each platform. This suggests that Soco404 is part of a larger crypto-scam infrastructure, indicating that these attacks are part of a long-term, opportunistic operation.
According to a report dated July 23, the hackers are using sophisticated tactics to disguise their malicious activities, achieve persistence on compromised systems, and deliver their malware. The researchers at Wiz have observed that the attackers are conducting automated scans to identify exposed services, exploiting any accessible entry point to deploy cryptominer malware.
The Soco404 attacker employs a wide range of techniques to deliver their payload, including utilizing vulnerabilities in open source database PostgreSQL for remote code execution and compromising publicly accessible Apache Tomcat instances through weak credentials. The attackers have even compromised a legitimate Korean transportation website to distribute their payloads.
On Linux systems, the attacker runs a script called soco.sh directly in memory upon successful exploitation. This script sets the stage for the main payload, which eliminates competing miners, optimizes memory performance, and maximizes CPU efficiency for cryptomining. The main payload is executed under disguised names to avoid detection and begins mining cryptocurrency using a designated wallet.
In Windows systems, the attackers use a similar approach to establish persistence and execute the main payload. They create a service with a random name to maintain persistence, stop the Windows event log service to avoid detection, and inject the main payload into a conhost.exe process to start cryptocurrency mining.
Overall, the Soco404 campaign demonstrates a sophisticated and opportunistic approach to exploiting vulnerabilities in cloud environments. By utilizing a variety of techniques and targeting multiple operating systems, the attackers are able to maximize their reach and persistence across diverse targets. It is crucial for organizations to remain vigilant and implement robust security measures to protect against such malicious campaigns.