- Hackers seen targeting misconfigured JuypterLab instances
- They host malware in polyglot files on image sharing sites
- The Koske malware mines different crypto tokens
Security researchers recently discovered a new Linux malware hiding in pictures of cute animals.
Cybersecurity experts from AquaSec recently found a piece of malware called Koske circulating around the web. It relies on polyglot files – documents that can be read and processed differently, depending on the type of program running them.
The threat actors were apparently targeting JupyterLab instances exposed to the internet, and misconfigured in a way that allows remote command execution. After finding and accessing such endpoints, the attackers would pull .JPEG files from legitimate image hosting services such as OVH images, freeimage, or postimage. The pictures were of AI-generated panda bears, innocuous at first sight.
Serbian hackers?
Through a script interpreter, the images are turned into a CPU and GPU-optimized cryptocurrency miners, using the server’s resources to generate more than 18 types of crypto tokens.
Cryptocurrency “mining” is essentially a process of supporting a blockchain network. In exchange for lending electricity, internet, and computing power to support the grid, users are given cryptocurrency tokens whose value depends on different things such as the number of users, the number of tokens in circulation, and the cost of mining.
Mining crypto this way generates relatively little profit for the attackers, some researchers said, while raking up huge costs for the victims – cloud compute power and electricity are often quite expensive.
AquaSec could not attribute the malware to a specific group definitively, but it did say that it found Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners.
In that context, the name of the malware would make some sense, since the word “Koske” in colloquial or dialectal form means “bones”.
The researchers believe that besides the image, the malware itself was written with the help of large language models (LLM) or automation frameworks.
Via BleepingComputer
You might also like
- Thousands of PostgreSQL servers are being hijacked to mine crypto
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers
This articles is written by : Fady Askharoun Samy Askharoun
All Rights Reserved to Amznusa www.amznusa.com
Why Amznusa?
AMZNUSA is a dynamic website that focuses on three primary categories: Technology, e-commerce and cryptocurrency news. It provides users with the latest updates and insights into online retail trends and the rapidly evolving world of digital currencies, helping visitors stay informed about both markets.
