HQ/EMEAFind out how we can help your business
A new cybercriminal campaign from Mirai botnet operators targets the Apache Tomcat server to deliver malware and rung cryptocurrency miners. Based on reports, the campaign is one of more than 800 attacks against misconfigured or poorly secured Tomcat server honeypots.
These attacks are from two years, in which 96% of these instances came from the Mirai botnet campaign.
The Mirai botnet operators scour for Tomcat servers that they could infect through brute-forcing tactics.
The Mirai botnet operators scan the internet to look for Tomcat servers. Next, they will launch a brute force attack against the misconfigured or poorly secured server.
The attackers will try to acquire access to the Tomcat web app manager by executing different combinations of credentials.
Once they establish a foothold, the botnet operators will deploy a WAR file with a compromised web shell class that could list to remote and run arbitrary commands on the Tomcat server.
This operation also includes the download and execution of a shell script, after which the actors delete a specific file through the ‘rm -rf’ Linux command.
The script stores links to download 12 binary archives, and each file is suitable for a specific infrastructure according to the system compromised by the botnet operators. The final stage of the malware campaign is deploying a variant of the notorious Mirai botnet that uses the compromised hosts to execute distributed denial-of-service attacks.
The researchers explained that once the attackers acquired access to the web application manager using a legitimate credential, they could exploit the platform to upload a web shell that impersonates a WAR file. Therefore, the operators could execute commands from afar and launch additional attacks.
This new development comes from a recent cybersecurity study about a poorly managed MS-SQL server that actors breached to launch a rootkit malware called Purple Fox. The malware is a loader to retrieve additional malware strains, such as coin miners.
Organisations should adequately configure and secure their infrastructures to prevent or mitigate such cybercriminal activities. Lastly, they should adopt proper credential hygiene management to avoid falling victim to brute-forcing campaigns.
