A number of sites have reported an uptick in UPX packed crypto-mining malware attacks. The new malware is known as Capoae malware.
These attack payloads were written in Golang and targeted Linux systems and web applications.
The primary tactic of this malware allows it to spread by identifying vulnerabilities and weak credentials used by system administrators.
Once systems are infected, they are then used to mine cryptocurrency.
In addition to this news, SIRT honeypots were being infected with PHP malware that arrived through the path of a WordPress plugin with a backdoor add-on. This add-on was named “download-monitor.”
Usually, the plugin is installed after the weak WordPress credentials of the honeypot are guessed.
After guessing the WordPress credentials, a 3MB-sized UPX-packed Golang binary is downloaded to the /tmp directory.
Other news outlets are reporting that the malware has some decryption functionality, and it has the ability to store another encrypted file into yet another directory.
Akamai reported the following about the Capoae malware:
How Do You Defend Yourself Against This Malware?
For larger organizations, we recommend keeping your systems and networks safe with highly secure passwords.
Don’t use default or weaker credentials than usual, and make sure that you always keep your server and WordPress installations up-to-date with the latest security patches, along with any plugin upgrades and WordPress version upgrades.
Make sure you upgrade your WordPress theme with all applicable updates as well.