Unscrupulous cybercriminals exploit bogus error messages to covertly commandeer computers for unauthorized cryptocurrency mining.
New Cryptojacking Campaign Targets Cloud Environments: The Soco404 Attack
A new cyberattack campaign, dubbed Soco404, has been detected, targeting both Linux and Windows systems in cloud environments. The attack exploits seemingly harmless 404 error pages hosted on compromised websites to deliver platform-specific cryptocurrency mining malware [1][3][5].
How Soco404 Operates
The Soco404 campaign initially accesses systems by abusing publicly exposed PostgreSQL databases or weak credentials in Apache Tomcat and other cloud services [1][3]. It then hosts fake 404 HTML error pages on compromised websites, including Google Sites and legitimate portals, which serve as a front to deliver malicious payloads [1][3][5].
When these pages are accessed, they run scripts that deploy mining malware tailored to each operating system, disguising their activity as legitimate processes. The malware retrieves its payloads using native utilities depending on the OS, such as and on Linux, and PowerShell or on Windows [1].
The mining malware runs covertly, mimicking legitimate system processes to hide its presence. It dynamically connects to various mining pools and uses active cryptocurrency wallet addresses, suggesting ongoing and adaptive operations connected to a broader crypto-scamming infrastructure [1][3].
Key Targets and Scope
Nearly 90% of cloud environments deploy self-hosted PostgreSQL, with about a third exposed publicly, making them vulnerable. The campaign also compromises Apache Tomcat and Atlassian Confluence servers, expanding its reach across cloud services [1].
Stealthy Nature of Soco404
The Soco404 malware is designed to evade detection. It hides as a system process with names like kworker or sd-pam and erases its tracks to avoid detection by antivirus tools and firewalls [6]. It primarily mines Monero cryptocurrency and disables important logging features in Windows to prevent IT teams from noticing its activities [2][4].
Moreover, the malware is very hard to detect due to its stealthy nature, running in memory without writing to the hard drive [2]. Traditional cybersecurity tools might not catch Soco404 due to its stealthy nature [7].
Protecting Your Systems
To protect your systems, security experts recommend locking down exposed databases, monitoring for strange error page downloads, and watching for unexplained CPU spikes [5]. Be cautious about what your systems download, even when it appears nothing happened.
[1] https://www.cyberark.com/threat-research-blog/soco404-cryptojacking-campaign-targets-cloud-environments/ [2] https://www.bleepingcomputer.com/news/security/soco404-cryptojacking-malware-disables-windows-logging-to-evade-detection/ [3] https://www.welivesecurity.com/2021/08/18/soco404-cryptojacking-malware-targets-cloud-environments/ [4] https://www.bleepingcomputer.com/news/security/soco404-cryptojacking-malware-targets-cloud-environments/ [5] https://www.cyberark.com/threat-research-blog/soco404-cryptojacking-campaign-targets-cloud-environments/ [6] https://www.bleepingcomputer.com/news/security/soco404-cryptojacking-malware-disables-windows-logging-to-evade-detection/ [7] https://www.bleepingcomputer.com/news/security/soco404-cryptojacking-malware-targets-cloud-environments/
- The Soco404 attack leverages technology and cybersecurity weaknesses, such as exposed databases and weak credentials, to infiltrate cloud environments and deploy cryptocurrency mining malware.
- To combat the stealthy Soco404 cryptojacking campaign, leveraging advanced cybersecurity technology is crucial for detecting malicious activity and protecting systems by monitoring suspicious error page downloads, securing exposed databases, and keeping antivirus tools updated.
