A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory.
Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks.
Koske’s purpose is to deploy CPU and GPU-optimized cryptocurrency miners that use the host’s computational resources to mine over 18 distinct coins.
AquaSec identified Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners, but it could make no confident attribution.
Pandas attack
Initial access is achieved by leveraging misconfigurations of JupyterLab instances exposed online to achieve command execution.
After gaining a foothold, the attacker downloads two .JPEG images of panda bears hosted on legitimate services like OVH images, freeimage, and postimage. However, the pictures hide malicious payloads.
AquaSec underlines that the threat actor did not use steganography to hide the malware inside images but relied on polyglot files, which are valid in multiple formats.
In Koske attacks, the same file can be interpreted as both an image and a script, depending on the application that opens or processes it.
While the panda pics feature valid image headers for the JPEG format, they also include malicious shell scripts and C code at the end, allowing both formats to be interepreted separately.
... continue reading