Level 52
Content Creator
Malware Hunter
New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.

Researchers say they have discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud-security products. Instances of the malicious activity are tied to coin-mining malware targeting Linux servers.

Palo Alto Networks’ Unit 42, which published the report Thursday, said that the malware samples it found do not compromise, end-run or attack the security and monitoring products in question; they rather simply uninstall them from compromised Linux servers.

“In our analysis, these attacks did not compromise these security products: Rather, the attacks first gained full administrative control over the hosts and then abused that full administrative control to uninstall these products in the same way a legitimate administrator would,” Xingyu Jin and Claud Xiao, Unit 42 researchers, said in a technical write-up.

Specifically, the malware samples set about uninstalling products developed by Tencent Cloud and Alibaba Cloud (Aliyun), two leading cloud providers in China that are expanding their business globally, researchers said. These security suites include key features such as trojan detection and removal based on machine learning, logging activity audits and vulnerability management.

“Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure,” Ryan Olson, vice president of threat intelligence for Unit 42, told Threatpost. “To the best of our knowledge, this is the first malware family that developed the unique capability to target and remove cloud security products.”