Full Report
Wiz Research has uncovered an ongoing, sophisticated cryptomining campaign dubbed Soco404, which targets both Linux and Windows systems in cloud environments. The campaign exploits exposed PostgreSQL instances and vulnerable Apache Tomcat servers to achieve initial access, the...
Analysis Summary
# Tool/Technique: Soco404 Cryptomining Campaign (XMRig-based Miner)
## Overview
Soco404 is a sophisticated, ongoing cryptomining campaign discovered by Wiz Research that targets Linux and Windows systems deployed in cloud environments. The campaign achieves initial access by exploiting exposed PostgreSQL instances and vulnerable Apache Tomcat servers, subsequently deploying XMRig-based miners utilizing various evasive techniques.
## Technical Details
- Type: Campaign / Malware (Cryptominer payload based on XMRig)
- Platform: Linux, Windows (Cloud environments)
- Capabilities: Cryptojacking, persistence establishment, process masquerading, log wiping, initial access via exploitation.
- First Seen: Around July 23, 2025 (based on publication date).
## MITRE ATT&CK Mapping
Based on observed techniques:
- **Initial Access**
- T1190 - Exploit Public-Facing Application (Targeting PostgreSQL/Tomcat)
- **Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **Defense Evasion**
- T1055 - Process Injection (Implied by in-memory execution)
- T1036.005 - Masquerading: Match Legitimate Name or Location (Impersonating `sd-pam`, `cpuhp`, `conhost.exe`)
- T1070.004 - Indicator Removal: File Deletion (Log wiping)
- **Persistence**
- T1547.001 - Boot or Logon Autostarts: Registry Run Keys / Startup Folder (Windows Services)
- T1053.003 - Scheduled Task/Job: Cron Jobs (Linux)
- **Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (Likely for exfiltrating setup data or receiving commands, though C2 is primarily for mining)
## Functionality
### Core Capabilities
- **Cryptojacking:** Deploys and runs XMRig-based miners to steal victim resources for Monero mining.
- **Initial Access:** Exploits misconfigured PostgreSQL instances and vulnerable Apache Tomcat servers.
- **Delivery Mechanism:** Payloads are uniquely disguised and delivered via links embedded within fake 404 error pages hosted on Google Sites.
- **Lateral Movement/Tool Usage:** Leverages common system utilities like `curl`, `wget`, `certutil`, and PowerShell for downloading and deploying further stages.
### Advanced Features
- **Evasion:** Employs in-memory execution to minimize disk artifacts.
- **Process Masquerading:** Attempts to hide its processes by impersonating legitimate service names such as `sd-pam`, `cpuhp`, or `conhost.exe`.
- **Log Wiping:** Executes procedures to erase evidence of its presence (log wiping).
- **Decentralized Infrastructure:** Links observed infrastructure to fraudulent cryptocurrency trading sites, suggesting a diversified monetization strategy beyond simple mining.
## Indicators of Compromise
*Note: As this is a summary of an article, specific, current IoCs (hashes, IPs) are not provided and must be obtained from the vendor report.*
- File Hashes: [Requires vendor report access]
- File Names: [Not explicitly detailed, but payload execution suggests downloader/loader names]
- Registry Keys: [Windows Services established for persistence]
- Network Indicators: Communication using local sockets internally. External communication is implied for miner pool connection (Monero pools).
- Behavioral Indicators:
- Execution of XMRig processes configured for Monero wallets.
- Creation of cron jobs (Linux) or Windows Services for persistence.
- Use of `curl`/`wget` to fetch payloads from external sources.
- Modification or deletion of log files.
## Associated Threat Actors
- Unknown (Described as an ongoing, sophisticated campaign). The operation appears tied to a broader crypto-scam ecosystem involving fake exchanges.
## Detection Methods
- Signature-based detection: Signatures for XMRig binaries and known C2 communication patterns (though C2 is less prominent than mining pools).
- Behavioral detection: Monitoring for unusual process injection activities, execution of mining software from unexpected paths, and process masquerading associated with `sd-pam`, `cpuhp`, or `conhost.exe`.
- YARA rules: Applicable for detecting the specific file markers or obfuscation techniques used in the XMRig loaders.
## Mitigation Strategies
- **Prevention:** Patch and secure public-facing applications, especially PostgreSQL and Apache Tomcat instances.
- **Hardening Recommendations:**
- Implement strong network segmentation within cloud environments.
- Continuously monitor external-facing services for signs of exploitation (e.g., unusual POST requests to 404 endpoints).
- Restrict the use of execution utilities like `curl` and `wget` in sensitive areas via application whitelisting.
- Implement robust least-privilege access controls, especially for database services.
## Related Tools/Techniques
- XMRig (Underlying cryptomining software)
- Standard Linux utilities (`curl`, `wget`) and Windows utilities (`certutil`, PowerShell) used for initial staging and execution.