A latest investigation by VulnCheck has uncovered a cryptomining marketing campaign that has been operating unnoticed for years. The menace actor behind this operation, utilizing the Linuxsys miner, has been focusing on weak techniques since no less than 2021, sustaining a constant technique that depends closely on compromised professional web sites to distribute malware.
What makes this marketing campaign tougher to detect is the attacker’s use of actual web sites as malware supply channels. As a substitute of internet hosting payloads on suspicious domains, they compromise third-party websites with legitimate SSL certificates and plant their obtain hyperlinks there. This not solely helps them bypass many safety filters but in addition retains their core infrastructure (just like the downloader web site repositorylinux.org) at a distance from the precise malware recordsdata.
Between July 1 and July 16 this yr, VulnCheck analysts noticed repeated exploit makes an attempt from the IP handle 103.193.177.152 in opposition to a canary Apache 2.4.49 occasion. These makes an attempt have been tied to the CVE-2021-41773 vulnerability. Whereas this specific vulnerability isn’t new and continues to be a well-liked goal, the entity exploiting it stood out.
The attackers used a easy script referred to as linux.sh, which pulls down each the configuration file and the Linuxsys binary from an inventory of 5 compromised web sites. These embody domains like prepstarcenter.com, wisecode.it, and dodoma.store, all of that are in any other case ordinary-looking websites.
In accordance with VulnCheck’s weblog put up shared with Hackread.com forward of publishing on Wednesday, the record wasn’t random. This gave the attacker backup choices if one web site received taken down or stopped working, so the malware may nonetheless be delivered with out interruption.
The miner configuration file retrieved from these websites factors to hashvault.professional because the mining pool and identifies the pockets related to the operation. That pockets has been receiving small payouts since January 2025, averaging round 0.024 XMR per day, about $8.
Whereas $8 sounds insignificant, the operation isn’t essentially about excessive income. The consistency and length counsel different objectives, or presumably extra mining exercise elsewhere that hasn’t been noticed but.
Tracing Linuxsys again in time, it first appeared in 2021 in a weblog put up by Hal Pomeranz, a extremely revered professional in Linux and Unix digital forensics, analysing the exploitation of the identical CVE. Since then, it has been tied to a number of vulnerabilities via reviews by a number of cybersecurity corporations. These embody latest CVEs like 2023-22527, 2023-34960, and 2024-36401.
All of those safety vulnerabilities have been exploited utilizing a n-day vulnerability exploitation, content material staging on compromised net infrastructure, and chronic mining operations. An n-day vulnerability is a safety bug that’s already identified and often has a repair obtainable. The identify simply means the flaw has been public for a sure variety of days, with ‘n’ being what number of days it’s been because the problem was first made public or patched.
There’s additionally some proof that the operation isn’t restricted to Linux. Two Home windows executables, nssm.exe and winsys.exe, have been discovered on the identical compromised hosts. Whereas VulnCheck didn’t observe these in motion, their presence suggests a broader scope than simply Linux techniques.
What’s stored this marketing campaign so low-profile is probably going a mix of cautious focusing on and deliberate avoidance of honeypots. VulnCheck notes that the attacker seems to favour high-interaction environments, which means typical bait servers typically miss this exercise totally. This cautious method has possible helped the marketing campaign keep away from attracting an excessive amount of consideration regardless of being lively for years.
VulnCheck has launched Suricata and Snort guidelines that detect exploit makes an attempt for all identified related CVEs. In the meantime, indicators of compromise embody IPs, URLs, and file hashes associated to the assault. Additionally they offered detection guidelines that safety groups can use to determine DNS queries and HTTP visitors related to the downloader and preliminary payload scripts.
