Full Report
Elastic Security Labs uncovered a Linux malware campaign that began in March 2024, targeting vulnerable servers via an Apache2 web server exploit. The attackers gained access and deployed a variety of tools and malware families, including KAIJI, known for its DDoS capabilities...
Analysis Summary
# Incident Report: REF6138 Linux Malware Campaign
## Executive Summary
Elastic Security Labs uncovered the REF6138 Linux malware campaign, active since March 2024, which leveraged an Apache2 web server exploit for initial access. The attackers deployed sophisticated malware, including KAIJI (for DDoS) and RUDEDEVIL (cryptominer), focusing on resource hijacking for cryptocurrency mining and potential money laundering, with ongoing campaign development observed.
## Incident Details
- **Discovery Date:** September 27, 2024 (Reported by Elastic Security Labs)
- **Incident Date:** Began March 2024
- **Affected Organization:** Unknown (Targeting vulnerable servers)
- **Sector:** Broadly affects organizations running vulnerable Linux/Apache environments
- **Geography:** Unknown
## Timeline of Events
### Initial Access
- **Date/Time:** March 2024 (Start of campaign)
- **Vector:** Vulnerable Apache2 Web Server Exploit
- **Details:** Attackers leveraged known vulnerabilities in the Apache2 infrastructure to gain initial foothold on Linux servers.
### Lateral Movement
- **Details:** Not explicitly detailed, but implied through the deployment of tools for resource control and persistence mechanisms (cron jobs).
### Data Exfiltration/Impact
- **Impact:** Resources hijacked primarily for cryptocurrency mining (using RUDEDEVIL) and preparation for potential DDoS activities (using KAIJI). Potential indication of money laundering activities.
### Detection & Response
- **Discovery:** Identified and analyzed by Elastic Security Labs.
- **Response actions taken:** Incident analysis and public disclosure/reporting (as this report is based on a vendor analysis).
## Attack Methodology
- **Initial Access:** Apache HTTP Server Exploit.
- **Persistence:**
- Creation of **cron jobs** for scheduled execution.
- Modification of **SELinux policies**.
- **Privilege Escalation:** Deployment of custom scripts/binaries suggesting efforts to escalate control over system resources.
- **Defense Evasion:**
- **Masquerading processes**.
- Utilizing **GSOCKET** for encrypted C2 communication disguised as kernel processes.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed, but inferred through system takeover activities.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** Not explicitly detailed, focusing primarily on resource control.
- **Exfiltration:** Not explicitly detailed, but execution of cryptocurrency mining suggests resource exfiltration/theft.
- **Impact:** Resource hijacking (cryptojacking).
## Impact Assessment
- **Financial:** Direct impact likely involves electricity costs, lost compute resources, and potential service degradation due to cryptojacking.
- **Data Breach:** No specific data exfiltration disclosed; impact centers on operational resource theft.
- **Operational:** Compromised servers used for malicious activities (mining, DDoS staging), leading to performance degradation.
- **Reputational:** N/A (Vendor analysis, not organization-specific breach).
## Indicators of Compromise
- **Network indicators (defanged):** Use of **GSOCKET** for encrypted C2 channels.
- **File indicators:** Deployment of malware families **KAIJI** and **RUDEDEVIL**, custom scripts, and binaries.
- **Behavioral indicators:**
- Creation of **cron jobs**.
- Modification of system security features (**SELinux** changes).
- Processes masquerading as legitimate services.
- Active communication via **Telegram bots** for potential C2.
## Response Actions
- **Containment measures:** Not publicly detailed regarding organizational response, as this is a post-mortem analysis of campaign activity.
- **Eradication steps:** Not publicly detailed.
- **Recovery actions:** Not publicly detailed.
## Lessons Learned
- Vulnerabilities in core web components like Apache HTTP Server remain a critical entry vector.
- Attackers are leveraging modular tooling (KAIJI, RUDEDEVIL) integrated with custom persistence mechanisms (cron jobs, SELinux manipulation).
- Adversaries are actively developing and iterating on malware variants, suggesting sustained threat actor engagement.
- The use of encrypted communication disguised as kernel processes (GSOCKET) requires advanced runtime monitoring for detection.
## Recommendations
- Implement rigorous patch management for all web servers, starting with Apache HTTP Server.
- Conduct regular configuration reviews to detect unauthorized modifications to persistence mechanisms (e.g., cron jobs) and security policies (SELinux).
- Employ endpoint detection and response (EDR) solutions capable of monitoring kernel-level process behavior to detect masquerading and unusual outbound C2 traffic.
- Segment critical infrastructure to limit initial access from internet-facing components.