Attackers using remote coding execution vulnerabilities to install cryptocurrency miners in vulnerable hosts 5 Jan 2018


Introduction

Kicking off the New year, AusCERT received reports of multiple attacks attempting to run exploits against vulnerable hosts in order to install and operate Cryptocurrency miners in them. Similar attacks have been reported around the globe.

Sighted attacks so far have targeted hosts running Linux operating systems. The miners are dropped as ELF 64-bit files; these are Monero miners to be precise, and are variants of XMRig. [1]

Alienvault released a pulse addressing Monero Miner installation attacks. [2]

In one attack scenario, attackers exploited a Remote Code execution vulnerability in the WLS Security sub-component of the Oracle WebLogic Server (WLS) (CVE-2017-10271), to download and install Monero miner software in the target host.

Weblogic Server versions vulnerable to this attack are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0.

This vulnerability was addressed in Oracle CPU [3]. 

Two articles from nsfocusglobal and morihi-soc (translation required) provide some analyses into these attacks. [4,5].

AusCERT performed its own analysis based on reports from multiple members. Indicators derived from that investigation have also been included in the list of indicators provided at the end of this blog.

A new python-based cryptominer botnet has also been recently exposed. It uses a JBOSS vulnerability (CVE-2017-12149) to run remote code exploits against vulnerable Linux hosts to fetch base64 encoded python scripts and execute them.  These scripts in turn connect to remote Command and Control servers to fetch additional python scripts. Interestingly, this botnet appears to be using pastebin resources as C&C servers. [6]

 

Basic characteristics of an attack

1. Attackers launch a remote code execution exploit targeting one of the following vulnerabilities in the target host:

    a. WebLogic server Remote Code Execution vulnerability. (CVE-2017-10271)
    b. JBoss Remote Code Execution vulnerability (CVE-2017-7504, CVE-2017-12149: used by a new python-based crypto miner)
    c. Apache Struts Jakarta Multipart parser Remote Code Execution vulnerability (CVE-2017-5638)

2. The exploit request includes the payload to fetch the cryptominer from a remote url create a crontab entry to make it run persistently and execute via the local shell depending on the operating system (e.g. cmd.exe for Windows and /bin/bash/ for Linux systems).

3. Additional Shell scripts are fetched from remote servers. These scripts have the function of:

    a. Killing competing processes that consume large CPU loads (>20%)
    b. Kill competing xmrig cryptocurrency mining processes
    c. Create crontab entries and/or rc.local files to ensure the miner is executed at regular intervals or on system reboot
    d. Modify file permissions to allow the miner to be executed by users with any privilege level
    e. Generate log files
     f. Communicate the miner's execution progress to a remote HQ.
    g. Determine the CPU type and number of CPU cores in a host and then branching to fetch an appropriate miner.

4.  The miner regularly communicates execution progress to a remote mining pool (or hq).

Actual miner files carry different names based on the attack. AusCERT has currently sighted miners as 64-bit ELF files with the following names:
    a. fs-manager
    b. sourplum
    c. kworker
    d. kworker_na

Factors differentiating miners

1. Maximum CPU threshold.
2. Dependence on an external config file. Some miner require an external config file (example, kworker.conf or config.json) to execute correctly. The config file typically contains:
    a. The username and password to access the remote mining pool
    b. URL of the remote mining pool
    c. Mining algorithm used (e.g. Cryptonight)
    d. the "nice" level of the mining process
3. Homing to different HQs or mining pools

Mitigation Recommendations

1. Patch systems against commonly targeted vulnerabilities for this type of attack.

2. Set ACLs and Firewalls to block outbound and inbound access to and from known Bitcoin mining pool IPs (unless your organisational policy allows the use of computing resources for bitcoin mining!).

3. Set IDS/IPS to detect requests and responses to and from payload delivery and network activity URLs.

4. Block resolution of domains known to be C&C and mining pools for cryptocurrency miners (e.g. via DNS firewalls).

5. Check Host files systems for dropped files (representing crypto miners) and corresponding hashes (e.g. using a Host-based IDS like OSSEC).

See Indicators section below for a list of indicators of compromise.

References

1. https://github.com/xmrig/xmrig

2. https://otx.alienvault.com/pulse/5a4e1c4993199b299f90a212/?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

3. http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html.

4. https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/

5. http://www.morihi-soc.net/?p=910

6. https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar

 

Indicators

Network-based indicators

Payload delivery url http://27.148.157.89:8899/1.exe Monero miner delivery url
Payload delivery url http://221.229.204.177:8888 Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/xmrig Monero miner delivery url
Payload delivery url http://72.11.140.178/?info=l30 Monero miner delivery url
Payload delivery url http://72.11.140.178/files/ Monero miner delivery url
Payload delivery url http://72.11.140.178/?info=l69 Monero miner delivery url
Payload delivery url http://72.11.140.178/files/w/default Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/xmr64.exe Monero miner delivery url
Payload delivery url http://72.11.140.178/?info=w0 Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/1.sh Monero miner delivery url
Payload delivery url http://72.11.140.178/files/w/default/auto-upgrade.exe Monero miner delivery url
Payload delivery url http://72.11.140.178/files/w/default?info=w0 Monero miner delivery url
Payload delivery url http://www.luoxkexp.com:8520/php.exe Monero miner delivery url
Payload delivery url http://72.11.140.178/auto-upgrade Monero miner delivery url
Payload delivery url http://luoxkexp.com:8888/samba.exe Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/xmr86.exe Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/fuckpig.jar Monero miner delivery url
Payload delivery url http://www.luoxkexp.com:8520/ Monero miner delivery url
Payload delivery url http://72.11.140.178/?info=w9 Monero miner delivery url
Payload delivery url http://72.11.140.178/files/w/default?info=w9 Monero miner delivery url
Payload delivery url http://luoxkexp.com:8888/xmr64.exe Monero miner delivery url
Payload delivery url http://luoxkexp.com/xmr64.exe Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/112.exe Monero miner delivery url
Payload delivery url http://72.11.140.178/files Monero miner delivery url
Payload delivery url http://27.148.157.89:8899/jiba Monero miner delivery url
Payload delivery url http://luoxkexp.com Monero miner delivery url
Payload delivery url http://72.11.140.178/files/w/others Monero miner delivery url
Payload delivery url http://72.11.140.178/setup-watch Monero miner delivery url
Payload delivery url http://72.11.140.178/wls-wsat/CoordinatorPortType Monero miner delivery url
Payload delivery url http://72.11.140.178/?info=l60 Monero miner delivery url
Payload delivery url http://72.11.140.178/files/l/default Monero miner delivery url
Payload delivery url http://luoxkexp.com:8888/xmr86.exe Monero miner delivery url
Payload delivery url http://luoxkexp.com:8899/xmr64.exe Monero miner delivery url
Payload delivery url http://72.11.140.178/files/l/others Monero miner delivery url
Payload delivery url http://luoxkexp.com:8899/1.exe Monero miner delivery url
Payload delivery url http://letoscribe.ru/includes/libraries/files.tar.gz Monero miner delivery url
Payload delivery url http://letoscribe.ru/includes/libraries/getsetup.php?p=wl Monero miner setup file delivery url
Payload delivery url http://45.77.106.29/selectv2.sh Sourplum and related scripts delivery url
Payload delivery url http://45.77.106.29/sourplum Sourplum and related scripts delivery url
Payload delivery url http://45.77.106.29/lowerv2.sh Sourplum and related scripts delivery url
Payload delivery url http://45.77.106.29/rootv2.sh Shell script delivery url
Payload delivery url http://181.214.87.240/res/logo.jpg Shell script delivery url
Payload delivery url http://5.188.87.12/langs/kworker_na Monero miner delivery url
Payload delivery url http://181.214.87.240/res/kworker.conf Monero miner config file delivery url
Network activity url http://letoscribe.ru/includes/libraries/notify.php?p=wl Monero Miner reports execution progress to HQ at this URL
Network activity url http://104.223.37.150:8090 Known C&C for python-based crypto miner
Network activity url http://pastebin.com/raw/yDnzKz72 Known C&C for python-based crypto miner
Network activity url http://k.zsw8.cc:8080 Known C&C for python-based crypto miner
Network activity url http://i.zsw8.cc:8080 Known C&C for python-based crypto miner
Network activity url http://pastebin.com/raw/rWjyEGDq Known C&C for python-based crypto miner
Network activity url http://208.92.90.51 Known C&C for python-based crypto miner
Network activity url http://208.92.90.51:443 Known C&C for python-based crypto miner
Network activity domain minergate.com Known C&C address pool and Bitcoin mining pool domain
Network activity domain minexmr.com Known C&C address pool and Bitcoin mining pool domain
Network activity domain letoscribe.ru Known Monero Miner HQ domain
Network activity domain pool-proxy.com Mining pool domain
Network activity domain fee.xmrig.com Domains contacted by fs-manager
Network activity domain nicehash.com Domains contacted by fs-manager
Network activity domain data.rel.ro Domains contacted by fs-manager
Network activity domain dkuug.dk kworker miner attempts to communicate with this domain
Network activity domain i.zsw8.cc C&C Domain for python-based crypto miner
Network activity domain k.zsw8.cc C&C Domain for python-based crypto miner
Network activity hostname pool.supportxmr.com Known mining pool host
Network activity hostname pool.cortins.tk Known mining pool host
Network activity ip-dst 104.25.208.15 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 94.130.143.162 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 72.11.140.178 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 88.99.142.163 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 78.46.91.134 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 104.25.209.15 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 136.243.102.154 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 136.243.102.167 C&C address pool and Bitcoin mining pool IP
Network activity ip-dst 148.251.133.246 Mining pool (HQ) IP
Network activity ip-dst 104.223.37.150 C&C IP
Network activity ip-dst 208.92.90.51 C&C IP
Payload delivery ip-src 45.77.106.29
Payload delivery ip-src 181.214.87.240

 

Host-based indicators

Artifacts dropped sha256 7153ac617df7aa6f911e361b1f0c8188ca5c142c6aaa8faa2a59b55e0b823c1c Ref: XMRig variant fs-manager
Artifacts dropped sha256 9359f7e7b1dd0f4ce4a2c52fe611c981a3dd7a17f935862e3ce9acb5f2df8ced Ref: kworker
Artifacts dropped sha256 f4864b3793c93de50b953e9751dc22e03fa0333ae6856d8d153be9018da6d911 Ref: kworker_na
Artifacts dropped sha256 d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d Python-based crypto miner
Artifacts dropped sha256 bcf306bf3c905567ac1a5012be94fe642cac6116192cea6486730341b32b38a4
Artifacts dropped sha256 0c5e960ca2a37cf383a7457bcc82e66d5b94164b12dfca1f21501211d9aca3c9
Artifacts dropped sha256 b3aba7582de82a0229b4d4caf73bc50cc18eb98109a0e251447dfb47afabc597
Payload delivery md5 0dc34402be603f563bfb25e7c476a0b4
Payload delivery md5 6455ffef458df6d24dd4df37f3d6df73
Payload delivery md5 9eadc40299864089e8a0959d04b02b39
Payload delivery md5 e1df71c38cea61397e713d6e580e9051
Payload delivery sha1 deeb65dbf4ac5d1d0db6ac4467282f62049a3620
Payload delivery sha1 777af085e72a4a19b6971f24c1167989335af508
Payload delivery sha1 4f41da624726daf16e1c0034e8a6a99c790be61e
Payload delivery sha1 9be68990dd7b071b192b89b0e384f290cce2b2db
Payload delivery sha256 0b2bd245ce62787101bc56b1eeda9f74e0f87b72781c8f50a1eff185a2a98391
Payload delivery sha256 182812097daabfc3fe52dd485bb0a0f566ddf47f23b9d9f72c2df01a1a4faf84
Payload delivery sha256 43f78c1c1b078f29fd5eb75759aa7b1459aa3f1679bbaabc1e67c362620650fb
Payload delivery sha256 370109b73fa9dceea9e2b34b466d0d2560025efcc78616387d84732cbe82b6bd
Payload delivery sha256 36524172afa85a131bf0075c7ff20dcbfb8a94c4e981300fb33ef56ed912678c
Payload delivery sha256 348c7dd59ea1b4e88585863dd788621f1101202d32df67eb0015761d25946420
Payload delivery sha256 198e090e86863fb5015e380dc159c5634cc2a598e93b20dd9695e1649bb062ad
Payload delivery sha256 d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d

 


« Back to all blog entries