Wiz Research has uncovered an ongoing, sophisticated cryptomining campaign dubbed Soco404, which targets both Linux and Windows systems in cloud environments. The campaign exploits exposed PostgreSQL instances and vulnerable Apache Tomcat servers to achieve initial access, then uses a combination of evasive techniques—including in-memory execution, process masquerading, log wiping, and persistence mechanisms—to deploy and run XMRig-based miners. Uniquely, Soco404 embeds its payloads within fake 404 error pages hosted on Google Sites, allowing the attacker to disguise malicious content as innocuous web responses and avoid detection. In addition to cryptojacking, the infrastructure is linked to fraudulent cryptocurrency trading sites, suggesting ties to a broader crypto-scam operation that monetizes both fake exchanges and illicit mining.
The attacker demonstrates strong operational agility by leveraging multiple tools (e.g., curl, wget, certutil, PowerShell) depending on platform, maintaining persistence through cron jobs and shell file injections on Linux, and Windows services on Windows. The malware communicates internally using local sockets and attempts to impersonate legitimate system processes like sd-pam, cpuhp, or conhost.exe. Wiz observed continued miner activity tied to two Monero wallets and found artifacts across a wide range of compromised infrastructure, including a legitimate Korean transportation website, reinforcing the campaign’s opportunistic and cloud-focused nature.