Cloud Servers Under Attack: Soco404 and Koske Malware Use Panda Images and 404 Pages for Crypto Mining

Two newly discovered malware campaigns named Soco404 and Koske are now targeting cloud servers to secretly mine cryptocurrency. These attacks are capable of infecting both Linux and Windows systems and are designed to abuse the computing power of cloud services without being noticed. The campaigns were uncovered by security teams from Wiz and Aqua, who have shared detailed insights into how these malware strains operate.

Soco404 mainly goes after servers that are left exposed to the internet. The attackers search for vulnerable services like Apache Tomcat, Apache Struts, Atlassian Confluence, and PostgreSQL databases. Once they find a system that hasn’t been secured properly, they exploit it to gain access and drop their malicious files.

One of the tricks used in the Soco404 campaign involves hosting malware on fake 404 error pages created using Google Sites. These web pages look like ordinary error messages but actually contain the malicious files. Tools like wget, curl, certutil, and PowerShell are used to download the malware, depending on the target’s operating system. Google has since taken down these fake pages.

On Linux systems, the malware uses a shell script that runs directly in memory, meaning it doesn’t leave a file on disk that could be easily detected. It downloads a second-stage binary to install a crypto miner. The script also shuts down any other mining software it finds running and clears out system logs like cron and wtmp to avoid detection.

For Windows systems, the attackers use PowerShell commands to install a binary that brings in three components: a loader, a cryptocurrency miner, and a driver called WinRing0.sys. This driver helps the malware gain high-level system access. It also disables event logging on Windows and removes traces of its own installation to stay hidden.

Koske, the second malware campaign, takes a different and more creative approach. It targets misconfigured JupyterLab servers, which are often used for programming and data analysis. The attackers hide their code inside panda image files that look completely normal on the surface. These aren’t ordinary steganography files but polyglot files that can act as both images and executable scripts.

Inside these panda images are two main scripts. One is a rootkit written in C that uses a technique called LD_PRELOAD to hide the presence of the malware on Linux systems. The other is a shell script that also runs in memory. This script installs a mining program that can use both CPUs and GPUs to mine up to 18 different cryptocurrencies including Monero, Ravencoin, Zano, Nexa, and Tari.

Security experts believe that the Koske malware is especially advanced and may have been written with help from artificial intelligence tools. The way the image files are constructed and the in-memory execution methods suggest that this campaign was created by skilled attackers, possibly using AI to improve their malware’s design and stealth.

These two campaigns highlight the growing risks faced by cloud environments today. By exploiting exposed services and using fileless, cross-platform techniques, attackers are able to hijack cloud servers for their own gain. This can lead to increased operating costs, slower system performance, and hidden backdoors for even more dangerous attacks.

To defend against these threats, it’s important to secure cloud services properly by restricting public access, enabling multi-factor authentication, and regularly auditing system activity. Unusual CPU usage, unexpected network traffic, or wiped logs can all be signs that something is wrong. Detecting and stopping these attacks early is key to avoiding larger problems.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news