Many of those recordsdata accompany deployed purposes and include delicate info reminiscent of credentials or entry tokens however shouldn’t be readable by exterior customers. Sadly, such misconfigurations are widespread. For instance, security researchers just lately reported that attackers collected .env recordsdata from round 110,000 domains, resulting in the publicity of greater than 90,000 distinctive atmosphere variables with 7,000 comparable to cloud companies.
Multi-stage malware deployment
After they acquire entry to a system, attackers will try to execute a shell script known as rconf to carry out a number of checks, set atmosphere variables, and obtain the primary payload. For instance, it checks whether or not the /tmp listing exists, is writable, and has execution permissions. If it doesn’t it makes an attempt to mount it. It additionally checks whether or not the system’s structure is x86_64, because it won’t run on ARM or different varieties of CPUs.
The script then downloads a file known as avatar.php, saves it to the /tmp listing with the identify httpd — a reputation sometimes utilized by the Apache internet server course of — after which executes it. Apparently, the request to obtain avatar.php from the attackers’ servers must have a particular Person-Agent to obtain the malicious payload. In any other case, the server will present a benign php file.