According to researchers, the new CoinStomp malware is mainly targeting cloud service providers based in Asia.

The IT security researchers at London, United Kingdom-based Cado Security have revealed details of a new malware family mainly targeting Asian cloud service providers to conduct cryptocurrency mining.

According to Matt Muir of Cado Security, the attackers are using CoinStomp malware in a highly sophisticated campaign designed to exploit CPU resources of targeted devices to mine cryptocurrency.

The malware comprises shell scripts that try to control “cloud computing instances hosted by cloud service providers” cryptomining, Cado Security’s blog post read.

Attack Tactics

The attack tactics of this campaign include timestomping, removing system cryptographic policies, and initiating C2 communications with the malicious software using a reverse shell. The script then downloads/executes new payloads as system-wide services with root privileges, including binaries to create backdoors and a custom XMRig version, a Monero mining software.

On the other hand, CoinStomp also issues commands to eliminate cryptographic policy files on a system and may even kill cryptographic processes.

About CoinStomp Capabilities

CoinStamp boasts several unusual capabilities. Such as, it relies on timestomping commands Linux systems to update file modification and access time. The malware also tampers with Linux server cryptographic policies, which can otherwise prevent malicious executables from being installed or executed on the system.

CoinStomp’s developer included this feature to disable system-wide cryptographic policies using a single Kill command, noted Cado Security.

Possible Perpetrators

The researchers further examined clues in code that hinted towards the involvement of a cryptojacking group called Xanthe. This group is connected to the Abcbot Botnet.

CoinStomp cryptomining malware targeting cloud services
One of the URLs analyzed by researchers hints towards the involvement of Xanthe

However, the company claims that the clue, which they discovered in a defunct payload URL, is insufficient to establish the involvement of Xanthe as it could very well be an attempt to “foil attribution.”

“CoinStomp demonstrates the sophistication and knowledge of attackers in the cloud security space. Employing anti-forensics techniques and weakening the target machine by removing cryptographic policies demonstrates not only a knowledge of Linux security measures but also an understanding of the incident response process.”  

Cado Security

More cryptomining malware news:

400% increase in cryptomining malware attacks against iPhones

Malware hits Hive OS cryptomining users; steals funds from wallets

Police seize illegal cryptomining farm using thousands of PS4s, GPUs

Hackers using pirated software to spread new cryptomining Mac malware

DarkGate: New password stealer & cryptomining malware hits Windows devices

Posted by Charlie