WordPress Servers are the latest targets for new Cryptocurrency Ransomware

Researchers from a Russia-based VPS company announced that a new type of crypto-mining virus has been found in cyberattacks on WordPress sites. According to Akamai cybersecurity experts, the malware, nicknamed Capoae, is built in the Go computer language, which has grown in popularity among threat actors due to its ability to produce easily repeatable cross-platform code that operates on Windows 10, Linux, macOS, and Android.

It’s particularly fascinating because Capoae exploits various vulnerabilities to obtain access to WordPress installations and then uses the popular XMRig cryptocurrency mining software to stealthily mine cryptocurrency. This information was given by veteran vulnerability researcher Larry Cashdollar.

The tactics used in crypto mining campaigns are becoming more advanced all the time. The Capoae campaign’s exploitation of different vulnerabilities and strategies shows how determined these hackers are to gain access to as many devices as possible.

According to the researcher Larry Cashdollar, the malware gained access to the server by brute-forcing the WordPress admin credentials and installing a contaminated WordPress plugin called download-monitor that contained a backdoor.

The researcher was able to decipher the malware’s attack strategy after studying the honeypot logs and the virus itself. One vulnerability was found in the Oracle WebLogic Server, another in ThinkPHP, and a couple in Jenkins were all used by Capoae.  Discovery of the new malware, Cashdollar asks all WordPress administrators to check their servers for high use of system resources, unrecognizable system processes, and dubious log entries or artifacts, such as suspicious files and SSH keys, which are some of the common forms of encroachments.