Trend Micro: Linux Malware Targets Huawei CloudCode Deployed Prevents Detection and Kills Competition
Researchers at Trend Micro have discovered threat actors deploying malicious code that targets Huawei Cloud and removes defensive applications and services.
See Also: The Power and Scale of XDR
The "Linux threat evolution targets relatively new cloud service providers or CSPs with cryptocurrency-mining malware and cryptojacking attacks," according to the researchers.
The malicious codes, they say, disable the hostguard service - a Huawei Cloud Linux agent process that detects security issues, protects the system and monitors the agent - and cloudResetPwdUpdateAgent - an open-source plug-in agent that allows Huawei Cloud users to reset a password to Elastic Cloud Service instance, which is installed by default on public images.
"As threat actors have these two services present in their shell scripts, we can assume that they are specifically targeting vulnerable ECS instances inside Huawei Cloud," the researchers note.
A spokesperson for Huawei Cloud was not immediately available to offer additional information.
The malicious actors look for public keys that would allow them to "kill off" their competition from the system and update it with their own keys, according to the researchers.
The malicious code removes all traces of previous infection by competitors to avoid sharing computational resources, while also maintaining access in the infected system, the researchers say.
Additionally, it searches the system for security tools that could stop its malicious routines, cleans up after infecting the system, and performs routines - detailed in the report - that deflect detection when malicious URLs are requested, Trend Micro says.
"The campaign creates a greater number of users using more generic, inconspicuous names such as “system” and “logger.” Using usernames such as these can fool an inexperienced Linux analyst into thinking that these are legitimate users," the researchers note. They add that the newly created users are given administrative powers over the infected system.
The threat actors, Trend Micro says, also add their own ssh-rsa key to maintain login access to the infected system, and add permissions to ensure that the files cannot be modified further or removed in the future.
Additionally, the campaign installs The Onion Router, or Tor, proxy service, which is used by the payloads to anonymize malicious connections made by the malware, the researchers add.
The malicious scripts deploy the linux64_shell and xlinux, two executable and linkable format binaries, according to the researchers.
The lunux64_shell binary is packed and obfuscated with the Ultimate Packer for Executables packer, but to make analysis harder, the binary is tampered with, they say. On the other hand, xlinux, is a Go-compiled binary that implements several modules from the kunpeng framework. It acts as a vulnerability scanner, exploits weaknesses and deploys the initial malicious script, Trend Micro says.
The binary linux64_shell is a compiled CrossC2 communication library that is capable of interacting with Cobalt Strike’s module, according to the researchers. The xlinux binary "notifies malicious actors about the infected machine by sending an HTTP POST request and begins with a “security” scan. Once a weakness is found, it exploits it and deploys its payload," the researchers add.
The post-infection scan for security weaknesses includes looking for weak passwords and unauthorized access of the SSH, Redis, PostgreSQL, SQLServer, MongoDB and FTP, as well as vulnerabilities in the Oracle WebLogic Server product, they say.
"Cloud service misconfigurations can allow cryptocurrency mining and cryptojacking attacks to happen. Most of the attacks that we’ve monitored occurred because the services running on the cloud had an API or an SSH with weak credentials or had very permissive configurations, which attackers can abuse to enable them to infiltrate a system without needing to exploit any vulnerabilities," the researchers note.
They believe that misconfigurations, which are a common point of entry for malicious actors, should be given as much attention as vulnerabilities and malware.
Trend Micro adds that companies cannot rely solely on malware scanning and vulnerability checking tools anymore, and must study their CSP responsibility models to determine the best safety policies before publishing cloud services.