A newly found piece of malware targeting web servers running on Linux machines is scanning popular content management systems (CMS) for vulnerabilities to expand a botnet.
Russian security firm Dr. Web says the malware is capable of launching distributed denial of service (DDoS) attacks, sending spam email, and self-propagating across a network.
The malware targets a number of widely used systems, including Drupal, Wordpress, Magento, ContactScanner, AirOS, Exagrid, Jetspeed, and others.
One feature of the malware scans for websites that use these systems, attempting to exploit known vulnerabilities to expose user details, private SSH keys, and login credentials stored on remote servers.
The security firm attributes the malware to recent attacks on Drupal sites that used an SQL injection flaw to compromise web servers. Victims faced a demand of 1.4 Bitcoin to release the key.
According to Dr. Web, the malware’s DDoS feature produces email spam with a message purportedly written by the Armada Collective — a name that has been coopted by online criminal groups hoping to capitalise on high profile attacks attributed to the gang. Armada Collective was blamed for a series of attacks that occurred last year on Swiss ISPs, and Switzerland-based secure email provider ProtonMail, which, against common advice, paid a ransom and was struck by attackers anyway.
However, content distribution network provider CloudFlare last year called out scammers for using the Armada Collective name to bluff victims into paying up when threatened with a DDoS attack. The firm reported that not a single attack had eventuated from a threat.
Recipients of email spam from this botnet will see a message claiming to be either from the Armada Collective or Anonymous, which both contain the same threat.
“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. This is not a joke. Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help,” the message reads.
The message is identical to the one that CloudFlare flagged and called out as a non-credible threat. According to CloudFlare, targets were asked for payments in Bitcoin that would be valued between around $5,000 to $20,000.