+02 683-5100
Callback
  • Main
  • Blog
  • Koske Malware Uses Panda Images to Mine Crypto

Koske Malware Uses Panda Images to Mine Crypto

As technology rapidly advances, so do cyber threats. Recently, researchers discovered a new Linux malware named Koske that takes stealth to a whole new level. Disguised as innocent-looking panda images, this malware secretly hijacks system resources to mine cryptocurrency.

What is Koske?

Koske is a cryptojacking malware discovered by cybersecurity researchers at AquaSec. It hides malicious code inside what appears to be regular panda image files. These files may look harmless to users, but once executed, they allow the attacker to run commands directly from system memory in a highly covert way.

Interestingly, Koske exhibits behaviors that seem intelligent and adaptive, raising suspicions that it may have been developed using AI or automated systems.

The Malware's Objective

Koske has one clear goal: hijack computing power to mine cryptocurrency. Its capabilities include:

  • Supporting up to 18 different cryptocurrencies (e.g., Monero, Ravencoin, Zano, Nexa)
  • Evaluating CPU and GPU capacity to choose the most efficient miner
  • Automatically switching to backup coins or mining pools if issues arise

How Koske Operates

1. Exploiting Misconfigured JupyterLab

Hackers scan for publicly accessible JupyterLab instances with weak or incorrect configurations. Once found, they exploit it to run commands on the system.

2. Downloading the "Panda Images"

The malware then downloads two panda images from trusted-looking sites like OVH or postimage. These are polyglot files, meaning they serve as both image and script.

  • If opened with a photo viewer: they appear as normal images.
  • If interpreted by the system: malicious code executes instantly.

What’s Inside the Panda Images?

Payload 1: C-Based Rootkit

  • Embedded C code is compiled and executed in memory as a .so file
  • It uses LD_PRELOAD to override readdir() functions
  • This hides processes, files, and folders related to the malware
  • It filters based on keywords like koske, hideproc, or PIDs from /dev/shm/.hiddenpid

Payload 2: Smart Shell Script

  • Executed directly from memory using Linux tools like cron and systemd
  • Ensures persistence by rerunning every 30 minutes
  • Network configurations are adjusted:
    • Switches DNS to Cloudflare and Google
    • Locks resolv.conf with chattr +i
    • Flushes iptables and proxy settings
    • Uses tools like curl, wget, and raw TCP to brute-force working proxies

Origin and Attribution

  • IP addresses linked to Serbia
  • Scripts contain Serbian language
  • Miner repositories found on GitHub include Slovak text

However, the exact origin of the threat actor remains unconfirmed.

AquaSec’s Warning

Although Koske already poses a serious threat, future AI-driven malware may become even more adaptive and dangerous — capable of real-time evasion and optimization.

Source: https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hides-in-cute-panda-images/

By using our website, you agree that we use files cookies
Agree