Hosting control panel solution VestaCP was compromised in a supply chain attack that installed malware used to carry out DDoS attacks.
Earlier this week ESET researchers learned the official VestaCP distribution was compromised to install a malware dubbed Linux/ChachaDDoS onto its systems, according to an Oct. 18 blog post.
It is unclear how the supply chain was compromised but the malware has been on new installations since at least May 2018 and was used to carry out attacks, which were attributed to the compromised servers after customers reported their servers were using an abnormal amount of bandwidth during the time of the attacks.
“The attacker tried launching Linux/ChachaDDoS via SSH,” user “Razza” said on the VestaCP forum. “It is not clear how the payload was dropped in the /var/tmp directory, but assuming the attacker already has the admin password, it would have been a trivial task.”
The malware ChachaDDos shares a persistence mechanism with Xor.DDoS although it's not known if the same author is behind both malware or if the ChachaDDos author simply stole the code.