Elastic Security Labs uncovered a Linux malware campaign that began in March 2024, targeting vulnerable servers via an Apache2 web server exploit. The attackers gained access and deployed a variety of tools and malware families, including KAIJI, known for its DDoS capabilities, and RUDEDEVIL, a cryptocurrency miner. They also used custom-written malware, creating persistence through cron jobs and leveraging Telegram bots for communication. The campaign’s objective seemed to involve cryptocurrency mining and potential money laundering activities, using compromised hosts to execute these operations. They maintained active development, frequently uploading new malware variants, indicating ongoing adaptation.
The malware used by the attackers demonstrated advanced capabilities for persistence, system resource hijacking, and command and control (C2) communication. Tools like GSOCKET were utilized to maintain encrypted communication channels disguised as kernel processes. The attackers used tactics such as masquerading processes, employing cron jobs, and modifying SELinux policies to evade detection and maintain control. The deployment of custom scripts and binaries also indicated their efforts to escalate privileges and control system resources.