The malware attack involves two stages including one in which existing cryptomining malware is removed.
The IT security researchers at Trend Micro have discovered a new malware campaign targeting Elasticsearch databases in the wild.
The campaign takes advantage of unprotected or publicly available Elasticsearch databases, infect them with malware before turning them into botnet zombies to carry out distributed-denial-of-service (DDoS) attacks.
According to researchers, the malware used in the attack is Setag backdoor originally discovered in 2017. Setag is equipped with capabilities like launching DDoS attacks and stealing system information.
See: EvilGnomes Linux malware record activities & spy on users
Further analysis into the binaries unveiled presence of BillGates malware as well. BillGates malware surfaced back in 2014 bearing the same capabilities as Setag including launching DDoS attacks and compromising the targeted device.
Attack’s workflow (Image: Trend Micro)
The malware attacks in two stages. In the first stage of the attack, the malware runs script s67.sh to shut down the firewall and define which shell should be used. In the second stage of the attack, the malware deletes some files including various configuration files from the /tmp directory and existing cryprominers installed by other threat actors – All this to run its own operation.
“The ways that the scripts are retrieved are notable,” researchers said in their blog post ..
Support the originator by clicking the read the rest link below.
