• Home
  • |
  • Blog
  • |
  • How Attackers Abused Download Monitor Word Press Plugin To Deliver The New Capoae Malware?
New Capoae Malware

Cyber security researchers discovered a malware campaign that abused a word press plugin to deliver a new Capoae malware. Let’s see things research has uncovered about the new Capoae malware before we jump right on to it. Let’s see what crypto-mining malware is.

What Is Crypto Mining Malware Or Crypto Jacking?

Giving explanations on crypto-jacking or crypto mining is not that simple task. You must know what cryptocurrencies are and how cryptocurrencies are mined to understand what crypto-jacking is.

In simple words, cryptocurrencies are digital currencies that work on blockchain technology. Blockchains are made up of series of blocks. A block is constructed by solving complex mathematical puzzles. A massive amount of computing resources are required to solve puzzles. This process of constructing a block is called mining. Practically, a massive amount of computing resources are required to mine blockchains. Thousands and thousands of computers are needed to mine a block. The first who mine the block will be rewarded with some percentage of the cryptocurrency of the block (transaction).

Crypto miners are always in need of computing resources to win the race. So some bad crypto miners try to compromise other machines so that they can allegedly install the mining agents or malware on other computers to utilize their computing resources to win the race. This process of hijacking other computing resources is called crypto-jacking.

What Is The New Capoae Malware?

Capoae Malware is a PHP malware named “Capoae” referring to a Russian word “Сканирование” meaning “Scanning”. The malware’s primary target machines are prone to the known vulnerabilities and weak administrative credentials. Once they’ve been infected, they are used to mine cryptocurrencies.

How Attackers Used The New Capoae Malware To Deliver The Crypto Mining Malware?

  1. The campaign begins with the infection of PHP malware through a backdoor via a word press plugin named download-monitor.
  2. Upon downloading the Download-monitor plugin, attackers install the plugin by targeting the known vulnerabilities and weak passwords.
  3. After the installation of the plugin, it downloads a 3 MB binary file to /tmp, which is written in Golang and packed in UPX packers.
  4. That payload is developed to perform port scanning to find open ports and services, brute force attacks on the target systems running SSH, and loaded with exploits of several well-known vulnerabilities: CVE-2020-14882CVE-2018-20062CVE-2019-1003029, and CVE-2019-1003030.

How To Protect From The New Capoae Malware?

Follow some of the basic guidelines which could play a vital role in protecting you from the new Capoae malware:

  1. The best protection against crypto miners is using a good anti-malware solution. Most of the anti-malware solutions are able to detect crypto-jacking malware.
  2. Monitor the health of your devices and system resources like CPU and GPU performances. Isolate the system from the internet and flash it if required.
  3. Block the IOCs at the network level. Block the domains/IP addresses on your firewall or Wi-Fi router.
  4. Disable the unwanted port and services.
  5. Don’tDon’t download anything from untrusted sources and unsigned software.

New Capoae Malware IOCs:

SHA256SUM

IPs

  • 198.100.145.141
  • 23.238.128.118
  • 69.12.66.218
  • 207.126.93.190

Thanks for reading this threat post. Please share this post and help to secure the digital world. Please visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.