This is a new bread of malware! A very new malware is seen accomplishing never before seen function – uninstalling cloud security products! This new malware is capable of taking admin rights on targeted system by uninstalling the cloud-security products. Multiple occasions of the malicious activity are tied to coin-mining malware targeting Linux servers.
One interesting observation made by the Palo Alto networks is that these malware do not attack the cloud security but just uninstall them making the cloud vulnerable to other attacks. These attacks carried out by ‘Rocke group’ did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would do it. The malware is evolved to evade detection by cloud security products.
The malware were set about uninstalling the security products developed by Tencent and Alibaba cloud (Aliyun) two major cloud service provider in China who are now expanding globally. This is supposedly the first malware family who has developed the capabilities to evade detection completely by disabling the cloud security measure!
How do they do it?
A Chinese language based threat actor group called Rocke group is known to actively use this malware. They use a large number of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.
As reported by the unit 42 analysts, this malware is delivered to the victim machines by exploiting vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion. Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called “a7” on the system.
That shell script begins to execute an array of malicious activities, including killing other cryptomining processes on the system, downloading and running a coin-miner, and hiding its malicious actions from Linux through using the open source tool “libprocesshider.” At this stage the malware actually executes the and uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure.
This is a clear sign that cloud based security products might not be enough for the future. This also shows that the future looks very dangerous with highly evolved malware payload which could actually take control of systems like a normal human would. The security infrastructure has to keep up. For now, there is no definitive defense which has come up against this type of malware but as it appears security technologies who do payload based mapping and blocking leveraging AI/ML instead of behavioral will be beneficial in such scenarios.