A new malware family targeting cloud services to mine cryptocurrency has been discovered by researchers.
Dubbed CoinStomp, the malware is compromised of shell scripts that “attempt to exploit cloud compute instances hosted by cloud service providers for the purpose of mining cryptocurrency,” according to Cado Security.
The firm’s researchers say that the overall purpose of CoinStomp is to quietly compromise instances in order to harness computing power to illicit mine for cryptocurrency, a form of attack known as cryptojacking.
A number of attack attempts have been focused, so far, on cloud service providers in Asia.
Clues in code also referenced Xanthe, a cryptojacking threat group recently tied to the Abcbot botnet. However, the clue – found in a defunct payload URL – is not enough to firmly establish who is responsible for CoinStomp and may have been included in “an attempt to foil attribution,” according to the team.
CoinStomp has a number of interesting capabilities. One is its reliance on “timestomping” – the manipulation of timestamps by running the touch -t command on Linux systems to update file modification and access times.
“It seems likely that timestomping was employed to obfuscate usage of the chmod and chattr utilities, as forensic tools would display