17.07.2025
2 min
491
Hackers are back in action: exploiting vulnerabilities in Apache HTTP Server and Microsoft Exchange allows attackers to launch the Linuxsys cryptominer, a VBS version of the Lcryx ransomware, and take full control of the server via GhostContainer. All of this is done through long-known vulnerabilities, abuse of legitimate websites, and use of infrastructure from Indonesia.
The attack is based on the CVE-2021-41773 vulnerability in Apache HTTP Server 2.4.49 — a known path traversal vulnerability that allows remote code execution. Through it, hackers deliver a shell script that downloads the Linuxsys miner from the controlled repositorylinux[.]org resource, using legitimate SSL-secured websites as proxies.
The script also installs cron.sh to automatically start the miner. Analysis indicates an Indonesian origin — comments in Sundanese were found in the source code. Previously, the same actors abused the vulnerability of GeoTools (CVE-2024-36401), Atlassian Confluence (CVE-2023-22527), Chamilo LMS, Metabase and Palo Alto firewalls.
In addition to mining, the attack launches other lines of infection: shell scripts disable antiviruses, databases and user services, after which the Kinsing RAT and the same XMRig miner enter the system. In parallel, Lcrypt0rx is activated – a pseudo-ransomware that blocks Windows tools, disables protection and tries to erase the MBR. But it is interesting that the keys are not stored, and the encryption is basic XOR, that is, this is more of a scareware than a full-fledged ransomware attack.
Similar campaigns using infected legitimate sites, curl, wget and multi-level loading have been observed before. This time, cybercriminals have gone further: they are using fake VBS scripts, CoinMiner, Kinsing, infostealers (Lumma, RustyStealer), even DCRat, injector and Cobalt Strike. This indicates the scaling of ready-made schemes and the merging of several malicious chains into one multifunctional infrastructure.
In a parallel campaign, attacks on Microsoft Exchange are recorded via CVE-2020-0688 – this uses GhostContainer: a backdoor that works without a C2 and hides commands in normal Exchange web requests. With its help, hackers can execute shell code, upload/delete files, proxy traffic and gain full control over government servers in Asia.
These campaigns are another proof of the commodification of cybercrime. Attackers are using old but effective vulnerabilities, AI-generated code, use of legitimate infrastructure, simultaneous delivery of multiple infection chains. The result is increased costs for cloud resources, performance degradation, and data leakage risks. All of this is now accessible even to attackers without deep technical knowledge.
