Malware targeting Linux and Unix web servers has the traditional functions, but has the added twist of being able to operate under restricted system privileges, researchers said.
The malware, called Mayhem, is a multipurpose modular threat discovered by Andrew Kovalev, Konstantin Otrashkevich and Evgeny Sidorov, researchers at the Russian Internet company Yandex, who studied the client side and the command and control (C&C) servers.
The threat distributes as a PHP script, which in mid-June ended up detected by only three of the antivirus engines on VirusTotal, the researchers said. After infecting a system, Mayhem begins communicating with its command and control (C&C) server via HTTP POST requests and responses.
To date, the researchers identified seven C&C commands. The malware can inform the server it successfully loaded, it can request files, it can send data, and provide a report on its state. In addition, the C&C can command the bot to run a new task, load a plugin, send data, and stop the current task, the researchers said in a paper on the subject.
Mayhem also relies on plugins, which end up storing on a hidden file system just like the rest of the malware files, to perform a range of tasks. Researchers identified eight plugins that can end up used to find vulnerable websites, conduct brute-force attacks on various types of sites and accounts, and extract useful information from Web pages. In addition to these eight, there are other plugins not seen, including one designed to exploit the Heartbleed vulnerability.
By gaining access to two C&C servers, researchers found at least 1,400 servers infected with the malware, most of them in the United States, Russia, Germany and Canada.
Kovalev, Otrashkevich and Sidorov believe that Mayhem is a continuation of Fort Disco, a major brute-force campaign discovered last summer by Arbor Networks.