A new Linux-based malware named Koske is believed to have been developed using artificial intelligence. It uses JPEG images of pandas to install malware directly into the system memory. Researchers from cybersecurity company AquaSec analysed Koske and described the malware as “a sophhisticated Linux threat.” Based upon the observed adaptive behaviour, the researchers believe the malware was created using large language models or automation frameworks.
Koske is designed to deploy CPU- and GPU optimized cryptocurrency miners, which use the host’s computing resources to mine more than 18 different coins. AquaSec could not ascribe the attacks to any specific source. It identified Serbian IP addresses, Serbian phrases and Slovak in the GitHub repository that hosted the miners.
Pandas Attack
Initial Access is achieved by exploiting misconfigurations in JupyterLab instances that are exposed online.
Once the attacker has gained a foothold, he downloads two.JPEG pictures of panda-bears hosted by legitimate services such as OVH images and freeimage. The pictures are actually malicious payloads.
AquaSec emphasizes that the threat actor didn’t use steganography in order to hide malware within images, but instead relied on polyglots files which are valid across multiple formats.
The same file in Koske attacks can be interpreted both as an image and a Script, depending on the program that opens or processes the file.
The panda pictures have valid image headers in the JPEG format. However, they also contain malicious shell scripts and C codes at the end. This allows both formats to be interpreted separately.
When a user opens them, they will see a cute bear panda but a script interpreter executes the shell code at the end.
Source: AquaSec
The attacks AquaSec discovered hide one payload in each image, both launched in parallel.
“One payload is C code written directly to memory, compiled, and executed as a shared object .so file that functions as a rootkit,”
explains AquaSec.
“The second is a script that is also executed in memory, but uses standard system utilities for stealth and persistence, leaving few visible traces.”
A shell script is run directly in memory using native Linux utilities. Persistence is established via cron jobs which run every 30 minutes and custom Systemd Services.
The malware also performs proxy evasion and network hardening, overwriting /etc/resolv.conf to use Cloudflare DNS and Google DNS. It locks it using chattr +i commands, flushing iptables and resetting proxy variable, and using a customized module to brute force working proxies using curl, wget and raw TCP checks. This adaptability and behavior led AquaSec’s researchers to suspect the threat actor created the malware with the assistance of a LLM platform or automation platform.
A C-based rootkit that is compiled in RAM uses LD_PRELOAD as a way to override readdir(), hiding malware-related files, directories, and processes from user-space monitoring software.
Rootkits filter entries based on strings such as koske or hideproc. They can also read hidden PIDs stored in /dev/shm/.hiddenpid.
The shell script downloads cryptominers to GitHub after establishing network access, setting up persistence and establishing network connectivity.
AquaSec
The host’s CPU/GPU is evaluated before deployment to determine the most efficient miner.
Koske allows mining of 18 different coins including the hard to trace Monero, Ravencoin and Nexa.
When a coin or mining pools becomes unavailable, the malware automatically switches from a backup list on its internal list. This shows a high level of automation and adaptability. AquaSec warns, that while AI-powered malware such as Koske is already concerning for its real-time adaptability and evolving into a more dangerous class of threats.
