Huawei Cloud hit with cryptomining malware

News
By published

Researchers suggest that the malware performs unprecedented level of sanitization for uninterrupted operations

Reprensentational image depitcting a mine worker toiling to mine cryptocurrency
(Image credit: Yevhen Vitte / Shutterstock)

A modified version of a Linux cryptomining malware that previously attacked containers now targets relatively new cloud service providers, particularly Huawei Cloud, report researchers.

Cybersecurity analysts from TrendMicro have shared insights into the malware, and how it has evolved from last year’s container-attacking variant to go after cloud environments.

In the post, the researchers share how “malicious actors deploy code that removes applications and services present mainly in Huawei Cloud.” 

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Analyzing the modus operandi of the attackers leads TrendMicro to believe that the threat actors are going after Amazon Elastic Cloud Service (ECS) instances inside Huawei Cloud.

Weeding out competition

The researchers note that the malware disables the hostguard service, a Huawei Cloud Linux agent process whose purpose is to detect and flag any security issues.

Moreover, the malware contains an open source plugin agent that’s designed to allow Huawei Cloud users to reset a password to their ECS instances.

“As threat actors have these two services present in their shell scripts, we can assume that they are specifically targeting vulnerable ECS instances inside Huawei Cloud,” explain TrendMicro researchers Alfredo Oliveira, and David Fiser.

In their analysis of the malware, the researchers note that interestingly it puts in the time and effort to search for and terminate any other malware running on the attacked cloud environment. 

“More than any other samples and campaigns we’ve seen so far, this campaign performs a comprehensive sanitization of the operation system. It looks for both signs of previous infections and for security tools that could stop its malicious routines,” the researchers comment.

The researchers have shared their analysis with Huawei, but have yet to get a response.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
China
Chinese hackers develop effective new hacking technique to go after business networks
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
Latest in Security
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Latest in News
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
An iPhone running iOS 18 on a purple and blue background
iOS 18.4 could launch soon with a major upgrade to your iPhone’s notifications
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
More about security
Code Skull

This dangerous new ransomware is hitting Windows, ARM, ESXi systems
Code Skull

Interpol operation arrests 300 suspects linked to African cybercrime rings
An iPhone running iOS 18 on a purple and blue background

iOS 18.4 could launch soon with a major upgrade to your iPhone’s notifications
See more latest
Most Popular
An iPhone running iOS 18 on a purple and blue background
iOS 18.4 could launch soon with a major upgrade to your iPhone’s notifications
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
The Meta Quest 3 and controllers on their charging station which is itself on a wooden desk next to a lamp
Forget Android XR, I've got my eyes on Vivo's new Meta Quest 3 competitor as it could be the most important VR headset of 2025
Marvel Rivals
Marvel Rivals will get two new hero skins for Moon Knight and Black Panther this week meaning I'll now need to farm even more Units
Klipsch Klipschorn AK7 in a room with lots of dark wood furniture and a bare brick wall
Klipsch just updated two of its most iconic stereo speaker designs, keeping these beautiful retro icons on your most-wanted list
Samsung Galaxy S25 from the front
The Now Bar on Samsung One UI 7 is about to get a lot more useful – and could soon match Live Activities on iOS
A close up of the PlayStation symbol at the top of a PS5 Slim console with a white brick background
Sony has dropped a new PS5 update, improving activities and adding more emoji support
Netflix Ads
Netflix adds HDR10+ support – great news for Samsung TV owners, but don't expect LG and Sony to do the same any time soon
Nvidia RTX 5080 against a yellow TechRadar background
RTX 5080 24GB version teased by MSI - is it time to admit that 16GB isn't enough for 4K?