Elastic Security Labs uncovered a sophisticated Linux malware campaign targeting servers through an Apache2 web server exploit in March 2024. The attackers used a mix of tools, including custom malware, KAIJI (a DDoS botnet), and RUDEDEVIL (a cryptocurrency miner). They utilized C2 channels disguised as kernel processes, Telegram bots for communication, and cron jobs for persistence. The campaign also involved leveraging gambling APIs, potentially for money laundering activities.

The attackers exploited an Apache2 server, gaining arbitrary code execution. They deployed KAIJI malware and downloaded a script (00.sh) to erase traces and kill other mining processes.

The attackers used a file server to distribute malware for different architectures. RUDEDEVIL and KAIJI malware variants were identified, each serving different purposes, like mining cryptocurrency or conducting DDoS attacks.

• RUDEDEVIL: A cryptocurrency miner with various functions such as socket creation, privilege handling, decryption, and process monitoring. The malware also includes an XOR-based encryption routine for concealing its activities.
• KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control.

The attackers utilized GSOCKET for encrypted communication, disguised as kernel processes. They also employed cron jobs, PHP payloads, and Systemd services to establish and maintain persistence on compromised hosts. Telegram bots and gambling APIs were used to relay information back to the C2 server.

 
Download. Email me if you need the password scheme.