Researchers find new malware that uninstalls cloud security software

walden, system, systems, remote, virtual, cloud, computing, desktop, ciel, cielview, view, compute, vm, machine, vdi, infrastructure, server, paas, saas, platform, service, software, serverless, thin, client, workspace, private, public, iaas, vcloud, terminal, tco, thin client, walden systems, virtualized, customized, view, coin mining, cloud
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

Researchers discovered a unique malware family capable of gaining admin rights on targeted systems by uninstalling cloud security products. The malicious activity is tied to coin mining malware targeting Linux servers. Palo Alto Networks' Unit 42 published the report. The malware samples found did not compromise, end-run or attack the security and monitoring products in question, rather they simply uninstalled them from compromised Linux servers.

The attacks first gains full administrative control over the hosts and then used full administrative control to uninstall security products. The malware samples uninstalled products developed by Tencent Cloud and Alibaba Cloud, two leading cloud providers in China that are expanding their business globally. These security suites includes trojan detection and removal based on machine learning, logging activity audits and vulnerability management. Palo Alto Networks Unit 42 has been cooperated with Tencent Cloud and Alibaba Cloud to address the malware evasion problem and its C2 infrastructure. This is the first malware family that developed the capability to target and remove cloud security products.


To infect victim machines, hackers exploits vulnerabilities in Apache Struts 2, Oracle WebLogic and Adobe ColdFusion. Once the malware is downloaded, it establishes a command and control server connection and downloads a shell script called a7 on the system. The shell script executes malicious code, including killing other cryptomining processes on the system, downloading and running a coin miner, and hiding itself from Linux through using the open source tool libprocesshider.

At this point, the malware uses a function that can uninstall cloud workload protection platforms, the agent-based security protection solutions for public cloud infrastructure. The Tencent Cloud and Alibaba Cloud official websites provide documents to guide users about how to uninstall their cloud security products. Researchers think the new malware samples follow the official uninstallation procedures.

Researchers suspect that the new malware family appears to be developed by the Iron cybercrime group. The payload for Iron and Rocke's malware are similar, and the malware reaches out to similar infrastructure. The malware is also associated with the Xbash malware, a sophisticated family in the wild, which turns Windows and Linux systems into crypto mining machines and with ransomware to boot. The version of the malware used by Rocke group demonstrates that the agent-based cloud security solution may not be enough to prevent evasive malware targeted at public cloud infrastructure.infrastructure.