Security researchers warn that a new form of malware targets Linux servers and disable their security products in order to mine cryptocurrency.

Palo Alto Networks’ Unit 42 reveals that it came across samples of malware used by a group called Rocke to infiltrate into Linux systems and look for five different cloud security products that could block further malicious activities on the compromised hosts.

The analysis reveals that successful attacks launched by Rocke first require them to exploit vulnerabilities found in other software solutions that would allow them to deploy the malware. Flaws in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion are being used.

Once the host has been compromised, the malware downloads a script called a7 on the system and enables persistence using cronjobs.

Furthermore, it can kill all the other mining processes running on the same host, block other malware with iptables rules, hide its malicious process, and uninstall agent-based cloud security products.

Chinese systems targeted

The impacted security solutions are all developed by Chinese companies. The following products have been confirmed to be impacted by the malware:

Alibaba Threat Detection Service agent

Alibaba CloudMonitor agent (Monitor CPU & memory consumption, network connectivity)

Alibaba Cloud Assistant agent (tool for automatically managing instances)

Tencent Host Security agent

Tencent Cloud Monitor agent

Given the malware targets mostly security products developed by Alibaba and Tencent, most attacks are believed to be carried out in China, though it could very well be expanded to other regions as well. Both companies have already been informed of the attacks in order to block potential exploits.