Hackers Leverage Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner, Exploiting Path Traversal Vulnerability
Hackers have exploited a high-severity path traversal vulnerability (CVE-2021-41773) in Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys. The attack campaign also targets Microsoft Exchange Server using a now-patched remote code execution bug, deploying a bespoke backdoor dubbed GhostContainer. This exploitation highlights the importance of staying vigilant and up-to-date with the latest security patches for widely used software applications.
Researchers discovered a new campaign exploiting a known security flaw in Apache HTTP Server to deliver a cryptocurrency miner.
The attack campaign leverages a high-severity path traversal vulnerability (CVE-2021-41773) with a CVSS score of 7.5, classified as critical due to its potential for remote code execution.
Hackers compromise legitimate websites to distribute malware and execute the Linuxsys cryptocurrency miner, evading detection by utilizing stealthy delivery methods.
The attack sequence begins with exploiting the Apache HTTP Server vulnerability to drop a payload, which then downloads the Linuxsys miner from multiple legitimate sites.
Another shell script is deployed to launch the miner automatically upon system reboot.
Kaspersky disclosed details of another campaign targeting government entities in Asia using a Microsoft Exchange Server exploit to deploy a bespoke backdoor called GhostContainer.
The GhostContainer malware grants attackers full control over compromised servers, enabling malicious activities like executing shellcode and downloading files.
In a recent development that highlights the ongoing threat of cyber attacks and vulnerabilities in widely used software applications, researchers have discovered a new campaign that exploits a known security flaw impacting Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys. This exploitation leverages a high-severity path traversal vulnerability (CVE-2021-41773) with a CVSS score of 7.5, which is classified as a critical vulnerability due to its potential for remote code execution.
According to VulnCheck, a cybersecurity firm that conducted an in-depth analysis of the attack campaign, the hackers exploit compromised legitimate websites to distribute malware and execute the Linuxsys cryptocurrency miner. This approach allows the attackers to evade detection by utilizing stealthy delivery methods and leveraging legitimate infrastructure to facilitate their malicious activities. Furthermore, the campaign observes careful targeting strategies, including a focus on avoiding low-interaction honeypots and requiring high interaction to observe their activity.
The infection sequence begins with the attacker exploiting the Apache HTTP Server path traversal vulnerability (CVE-2021-41773) to drop a next-stage payload from "repositorylinux[.]org" using curl or wget. The payload is then responsible for downloading the Linuxsys cryptocurrency miner from five different legitimate websites, suggesting that the threat actors behind the campaign have successfully compromised third-party infrastructure to facilitate the distribution of malware.
The attacker also deploys another shell script named "cron.sh," which ensures that the miner is launched automatically upon a system reboot. Additionally, cybersecurity firm VulnCheck identified two Windows executables on the hacked sites, raising the possibility that attackers are also targeting Microsoft's desktop operating system.
This attack campaign highlights the importance of staying vigilant and up-to-date with the latest security patches for widely used software applications like Apache HTTP Server. Regular updates can help prevent exploitation of known vulnerabilities and mitigate the risk of cryptocurrency miners and other malicious payloads being deployed on compromised systems.
In a separate development, Kaspersky has disclosed details of a campaign that is targeting government entities in Asia, likely using a now-patched remote code execution bug in Microsoft Exchange Server (CVE-2020-0688) to deploy a bespoke backdoor dubbed GhostContainer. The attackers appear to be highly skilled due to their in-depth understanding of Microsoft Exchange Server and their ability to transform publicly available code into advanced espionage tools.
The "sophisticated, multi-functional backdoor" can be dynamically extended with arbitrary functionality through the download of additional modules. It grants attackers full control over the compromised server, enabling a range of malicious activities, including executing shellcode, downloading files, reading or deleting files, running arbitrary commands, and loading additional .NET byte code.
The GhostContainer malware incorporates a web proxy and tunneling module, allowing attackers to establish communication with the compromised server without establishing an external connection. This tactic suggests that the attackers are employing a sophisticated strategy to avoid detection while maintaining control over their victims' systems.
In conclusion, this attack campaign highlights the ongoing threat of cyber attacks and vulnerabilities in widely used software applications. Staying vigilant and up-to-date with the latest security patches is crucial for preventing exploitation of known vulnerabilities and mitigating the risk of malicious payloads like Linuxsys cryptocurrency miners being deployed on compromised systems.
Hackers have exploited a high-severity path traversal vulnerability (CVE-2021-41773) in Apache HTTP Server to deliver a cryptocurrency miner called Linuxsys. The attack campaign also targets Microsoft Exchange Server using a now-patched remote code execution bug, deploying a bespoke backdoor dubbed GhostContainer. This exploitation highlights the importance of staying vigilant and up-to-date with the latest security patches for widely used software applications.
Related Information:
Published: Thu Jul 17 13:00:27 2025 by llama3.2 3B Q4_K_M
Just staying up to date is half the battle.