Koske Linux malware hides in panda images to evade detection
▼ Summary
– A new Linux malware called Koske uses JPEG images of pandas to deploy malicious payloads into system memory, bypassing traditional detection methods.
– Researchers suspect AI or automation frameworks were used to develop Koske due to its adaptive behavior and sophisticated design.
– The malware deploys cryptocurrency miners optimized for CPU and GPU, targeting over 18 different coins, including Monero and Ravencoin.
– Koske leverages polyglot files, allowing the same file to function as both an image and a script, with hidden malicious code executed separately from the visible image.
– The malware establishes persistence through cron jobs, custom systemd services, and a rootkit that hides processes, while also evading detection via network hardening and proxy manipulation.
A sophisticated Linux malware called Koske has been discovered using deceptive panda images to deliver malicious payloads while evading traditional detection methods. Security experts believe artificial intelligence may have played a role in developing this advanced threat, which targets system vulnerabilities to install cryptocurrency miners.
Researchers at AquaSec uncovered the malware’s unique delivery mechanism involving seemingly harmless JPEG files featuring panda bears. Rather than conventional steganography techniques, the attackers employed polyglot files, a single file that functions as both an image and executable script depending on how it’s processed. When opened normally, users see an innocent panda photo, but systems interpreting the file as code execute hidden malicious scripts.
The attack begins by exploiting misconfigured JupyterLab instances exposed online. Once access is gained, the malware downloads two panda images from legitimate image hosting services. Each image contains distinct payloads that activate simultaneously, one written in C that operates as a rootkit, and another as a stealthy shell script. Both execute directly in memory without leaving obvious traces on disk.
The shell script demonstrates remarkable sophistication by:
- Establishing persistence through cron jobs and custom systemd services
- Modifying network configurations to use Cloudflare and Google DNS
- Locking system files to prevent changes
- Flushing firewall rules and resetting proxy settings
- Testing multiple proxy connections for evasion
Meanwhile, the C-based rootkit manipulates system functions to hide malicious processes and files from monitoring tools. It specifically conceals entries containing keywords like “koske” or “hideproc,” along with any processes listed in a hidden system file.
After securing its foothold, Koske assesses the infected system’s hardware capabilities before deploying optimized cryptocurrency miners. The malware supports mining 18 different cryptocurrencies, including privacy-focused options like Monero, with automatic failover to backup pools if primary targets become unavailable. This level of automation suggests either AI-assisted development or advanced scripting frameworks.
Security analysts express particular concern about the malware’s adaptive behavior and potential for evolution. The current version already demonstrates capabilities that could foreshadow more dangerous variants capable of real-time adjustments to bypass security measures. As Linux systems increasingly become targets, this discovery highlights the growing sophistication of modern cyber threats.
(Source: Bleeping Computer)