Threat actors have turned to cryptocurrency mining as a reliable way to make a profit in recent months. Cryptocurrency miners use the computing power of end user systems to mine coins of various kinds, most commonly via malware or compromised websites. By compromising servers in order to run cryptocurrency miners, the threat actors would gain access to more computing power and increase their profits from illicit mining.
In recent weeks we have noted a significant increase in the numbers of exploit attempts targeting two specific vulnerabilities: CVE-2017-5638 (a vulnerability in Apache Struts) and CVE-2017-9822 (a vulnerability in DotNetNuke). Patches for these vulnerabilities are already available. These vulnerabilities are in web applications that developers commonly use to build websites, making it likely that they are present on many servers. The Struts vulnerability was implicated in the massive Equifax breach in 2017.
We believe that this is the work of a single threat actor, as the sites all point to a single malicious domain to download Monero miners, which also all point to a single Monero address. It has already received 30 XMR, equating to approximately 12,000 US dollars based on mid-January 2018 exchange rates.
Analysis
Malicious HTTP requests that take advantage of the above vulnerabilities are sent to the target servers. These HTTP requests contain encoded scripting code. The vulnerabilities above are used to run this code on the affected web server. Multiple layers of obfuscated code are used in an attempt to make analysis and detection more difficult. Both Windows and Linux systems are targeted with this attack.
The final layer of obfuscated code, once decoded, reveals the campaign's final goal. The code eventually leads to the download of the malicious payload: a Monero cryptocurrency miner.
Figures 1 and 2. HTTP requests sent to targeted servers, targeting Struts and DotNetNuke vulnerabilities respectively
The URL used to download this Monero miner differs between Windows and Linux versions. However, this URL is shared between both the Struts attacks and the DotNetNuke attacks as follows:
- Windows - hxxp://eeme7j[.]win/scv[.]ps1 leading to the download of a miner from hxxp://eeme7j[.]win/mule[.]exe (detected as TROJ_BITMIN.JU)
- Linux - hxxp://eeme7j[.]win/larva[.]sh leading to the download of a miner from hxxp://eeme7j[.]win/mule (detected as ELF_BITMIN.AK)
Scope
Our data indicates that this campaign has been in progress since the middle of December. The chart below indicates the number of feedback incidents targeting the Struts vulnerability in December:
Figure 3. Number of hits in November - December
The amount of feedback has dropped after it's peak in mid to late-December. However, they are still ongoing – system administrators have to adjust to the reality that Struts attacks are now a regular part of the threat landscape.
How much has this attack netted? The current campaign sends all of the mined Monero to a single address, making a profit of around 12,000 US dollars at current exchange rates. The campaign is still ongoing, and there are no indications that this particular threat actor intends to stop soon.
Solutions and Mitigations
There are several methods available to system administrators to mitigate this threat. The most immediate is to patch the above vulnerabilities. The Struts vulnerability was fixed in March 2017; the DotNetNuke vulnerability was patched in August 2017. Installing these patches would remove the risk from these particular attacks.
Trend Micro™ TippingPoint™ provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via filters. Trend Micro™ Deep Security™ also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications such as Apache Struts.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit Struts vulnerabilities even without an engine or pattern update.
Deep Security™ provides protection from any threats that may target this vulnerability via the following rules:
- 1008207 - Apache Struts2 Remote Code Execution vulnerability (CVE-2017-5638)
Deep Discovery Inspector protects customers via the following rules:
- 2348: CVE-2017-5638 - APACHE STRUTS EXPLOIT - HTTP (Request)
- 2588: CVE-2017-9822 DotNetNuke Remote Code Execution Exploit - HTTP (Request)
Trend Micro™ TippingPoint™ customers are protected from threats that may exploit the vulnerabilities via these MainlineDV filters:
- 27410: HTTP: Apache Struts Content-type Command Injection Vulnerability
TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that are available for customers to download on TMC. The applicable rules is as follows:
- HTTP: Apache Struts Content-type Command Injection Vulnerability (CVE-2017-5638)
Trend Micro Home Network Security™ customers are protected from this threat via these rules:
- 1132543 WEB Apache Struts Dynamic Method Invocation Remote Code Execution -1.h
- 1134304 WEB DotNetNuke Deserialization Vulnerability (CVE-2017-9822)
Indicators of Compromise
The following files are detected as part of this attack:
- 0f80fd6e48121961c8821ad993b3e5959a6646ac0f0ed636560659f55879c551 (detected as TROJ_BITMIN.JU)
- b3377097c8dcabd0d3dd5ee35bcf548f9906a34b9d3c0169b27f17eb015cf0be (detected as ELF_BITMIN.AK)
The following URLs are connected to this attack:
- eeme7j[.]win/larva[.]sh
- eeme7j[.]win/mule
- eeme7j[.]win/mule[.]exe
- eeme7j[.]win/scv[.]ps1