Malware, Threat Management, Threat Management

Crypto-miner threats detailed by Akamai is ‘what’s going to stab you in the back’

A woman walks past the entrance of a cryptocurrency exchange office on April 16, 2021, in Istanbul. Two new reports detail crypto-mining threats found by Akamai. (Photo by Chris McGrath/Getty Images)

Ransomware may be the most prominent criminal activity over the past year, but crypto-mining attacks have also grown. In separate reports Thursday, Akamai detailed two threats: One new, complex miner targeting WordPress, and a Linux miner that just learned to speak Windows.

"Crypto mining is a lucrative enterprise, and it's lucrative enough where they have actual developers that are invested in making these things more stealth," said Larry Cashdollar, a security researcher with Akamai.

Cashdollar wrote one of the two new reports, a breakdown of a previously undetailed crypto miner he dubbed "Capoae."

Attackers download Capoae to Word Press installations using a backdoored plugin they install by guessing site credentials. It uses multiple known vulnerabilities to further spread, including bugs in Oracle WebLogic Server, ThinkPHP, the XMLRPC API and Jenkins, as well as a brute force attack into SSH.

Cashdollar named the malware Capoae based on the English letters in “Сканирование," which shows up in the system calls after detonation. Сканирование is Russian for "scanning."

The second report out on Thursday came from Evyatar Saias, outlining developments in the Kinsing botnet that is primarily known for its crypto-mining function. Kinsing first uploaded to VirusTotal in 2019 that traditionally targeted Linux. Saias said that for the last six months or so, Akamai has seen it pick up the capability to attack Windows, as well. That has made a once prevalent crypto miner even more contagious.

"We monitor a lot of campaigns and different types of malware, but this one really, really stood out because it just boomed," he said. "I mean, we just see it nonstop. We have a bunch of sensors deployed in many regions, and we just see this thing everywhere."

Kinsing contains backdoor and rootkit functionality, though Saias said he has not seen either function used to install anything beyond the crypto miner.

Both Capoae and Kinsing are written in Golang.

Though ransomware might be the hot topic, the researchers say miners pose a low-profile foothold into networks and their growth should not be lost in the shuffle.

"While everybody's got their attention focused on ransomware, the stuff that Larry and Evyatar found is what's going to stab you in the back. And once it's on your system, unless you're proactively defending against it, that's an active threat actor who has something on your box. You don't know what they're going to do in the future," said Steve Ragan, an Akamai threat intelligence researcher.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.