Security researchers have found that since last year Linux servers in the cloud have become the domain of two rival hacker turf wars, a race to mine malware. Security firm Intezer found that a Group of hackers called the Pacha Group had been locking down Linux servers in the cloud since Last September and installing linux.greedyantd, a variant of the mining software. Pacha, first discovered last year by Cisco’s Talos security research group, has also been used to launch mining attacks on Linux and cloud platforms, but GreedyAntd contains several special capabilities that differ from previous generations of mining programs so far it has not been discovered. The researchers found that the mutant was similar in several ways to the Rocke Group, an early hacker Group whose goal was to mine Monero coins. For example, GreedyAntd has a file path blacklist to find and shut down cloud security products like Alibaba Server Guard. It recently targeted vulnerabilities in Atlassian Confluence knowledge management and collaboration software. And the use of user-mode rootkit, the same features as Rocke. Researcher Nacho Sanmillan points out that Both Pacha and Rocke were massively sweeping unpatched Linux servers and cloud services on the network, infected with a versatile malware called Boats.
