New cryptocurrency malware goes to great lengths to target WordPress servers

News
By
published

Malware uses a mining pool hosted on a Russian VPS company, researchers note

Crypto mining
(Image credit: Shutterstock / Yevhen Vitte)

A new strain of cryptomining malware has been spotted in cyberattacks against WordPress installations. 

Cybersecurity researchers at Akamai say the malware, dubbed Capoae, is written in the Go programming language, which has become popular with threat actors due to its ability to write easily reusable cross-platform code that runs across Windows 10, Linux, macOS and Android

Veteran vulnerability researcher Larry Cashdollar has shared details about Capoae, which is particularly interesting since it makes use of multiple vulnerabilities to gain a foothold in WordPress installations, and repurpose them discreetly to mine cryptocurrencies using the popular XMRig mining software.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Crypto Mining campaigns are continuing to evolve. The Capoae campaign’s use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,” notes Cashdollar.

New tactics

Cashdollar caught hold of Capoae using a honeypot to lure the PHP malware. The malware made its way into the server by bruteforcing the weak WordPress admin credentials to install a tainted WordPress plugin named download-monitor, which had a backdoor.

After reviewing the honeypot access logs, and the malware itself, the researcher was able to unravel its mode of attack.

His analysis revealed that Capoae exploited at least four different remote code execution (RCE) vulnerabilities, one on Oracle WebLogic Server, another in ThinkPHP, and a couple in Jenkins.

Following the discovery of the new malware, Cashdollar asks all WordPress admins to look for high system resource use in their servers, unrecognizable system processes, and dubious log entries or artifacts, such as suspicious files and SSH keys, which are some of the common signs of intrusions. 

“The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here. Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time,” concludes Cashdollar.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
WordPress users targeted by devious new credit card skimmer malware
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
BadBox malware hit after infecting over 500,000 Android devices
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
Latest in News
Fujfilm GFX 50R
First Fujifilm GFX100RF images leaked in build-up to expected reveal – here’s what they tell us about the unique premium compact camera
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 could have a Motorola Razr-style full-sized cover screen – and I think it’s about time
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Last-minute AMD RX 9070 XT stock rumors are making me hopeful for a much better launch than Nvidia’s RTX 5000 GPUs – with just one snag
eSIM
Global eSIM shipment volume surpasses half a billion units as demand keeps on growing
Samsung Galaxy Buds in white
Samsung may be working on new cheap wireless earbuds – will the Galaxy Buds FE 2 beat Sony's next value earbuds to the punch?
PS5 Pro feature
PlayStation Direct now lets you rent, yes rent, a PS5 from £11.99 a month
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

BadBox malware hit after infecting over 500,000 Android devices
China

Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
Fujfilm GFX 50R

First Fujifilm GFX100RF images leaked in build-up to expected reveal – here’s what they tell us about the unique premium compact camera
See more latest
Most Popular
Fujfilm GFX 50R
First Fujifilm GFX100RF images leaked in build-up to expected reveal – here’s what they tell us about the unique premium compact camera
A close up of Conquest in Invincible season 3 episode 7
Invincible season 3 episode 7 just made good on a two-year-old Instagram post and a wild rumor about Jeffrey Dean Morgan
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
BadBox malware hit after infecting over 500,000 Android devices
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 could have a Motorola Razr-style full-sized cover screen – and I think it’s about time
PS5 Pro feature
PlayStation Direct now lets you rent, yes rent, a PS5 from £11.99 a month
Google Pixel 9 Pro
Your older Pixel phone just got a performance and camera boost thanks to Google's new software update
Samsung Galaxy Buds in white
Samsung may be working on new cheap wireless earbuds – will the Galaxy Buds FE 2 beat Sony's next value earbuds to the punch?
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
eSIM
Global eSIM shipment volume surpasses half a billion units as demand keeps on growing
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Last-minute AMD RX 9070 XT stock rumors are making me hopeful for a much better launch than Nvidia’s RTX 5000 GPUs – with just one snag