A new Linux malware named Koske is exploiting misconfigured JupyterLab environments and using innocent-looking panda bear images to deploy stealthy rootkits and crypto miners, researchers from AquaSec revealed.
Malicious Images Conceal Sophisticated Payloads
Koske uses a unique technique involving polyglot files—JPEG images that are also valid shell scripts. These files show a normal image to the user but execute malicious code when interpreted by a script processor.
“The attacker downloads two .JPEG images of panda bears hosted on trusted platforms like OVH or FreeImage, each containing an embedded payload,” AquaSec stated.
Unlike traditional steganography, the malware is not hidden inside image pixels. Instead, the JPEG files contain valid image headers followed by appended shell scripts and C code, enabling dual functionality.
Initial Access: Jupyter Misconfigurations
The attack begins by exploiting misconfigured JupyterLab instances exposed on the internet. These configurations allow command execution, giving attackers a remote foothold.
Once inside, the attacker downloads the panda JPEGs and triggers the hidden payloads:
- Payload 1: C code compiled and executed in memory as a
.sorootkit, leveragingLD_PRELOADto override system calls and hide itself. - Payload 2: Shell script executed in-memory, responsible for persistence, system manipulation, and cryptominer deployment.
Seemingly innocuous panda image (top), file contents (bottom)
Source: AquaSec