A new variant of the cryptominer malware known as Golang is targeting both Windows and Linux machines. While the volume of attacks is low because the variant is so new, Barracuda researchers have seen seven source IP addresses linked to this malware so far, all based in China. Instead of targeting end users, this new malware attacks servers.
Here’s a closer look at this evolving threat and solutions to help detect, block, and remediate the attacks.
New variant of “Golang” malware — This new malware variant attacks web application frameworks, application servers, and non-HTTP services such as Redis and MSSQL. Its main goal is to mine Monero cryptocurrency using a known miner, XMRig. The malware spreads as a worm, searching and infecting other vulnerable machines.
Earlier variants of this malware targeted only Linux machines, but this new iteration is also attacking Windows machines and uses a new pool of exploits. For example, some of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China. Similar to other families of malware, it is safe to assume this malware will keep evolving, employing more and more exploits.Instead of targeting end users, this #malware focuses on attacking servers instead. Here’s what you can do to protect your business #cryptominingClick To Tweet
Once the malware infects a machine, it downloads the following files, which are customized based upon the platform being attacked. The attacks follow the same playbook, though, including an initial payload, an update script, a miner, a watchdog, a scanner, and a config file for the cryptominer. For Windows machines, the malware also adds a backdoor user.
|The init script runs as part of the initial payload.|
|Identical to the init script, the update script runs as a scheduled task.|
|The cryptominer is based on the known XMRig miner, an open source tool.|
|The watchdog makes sure the scanner and miner are up and running and all components are up to date.|
|The scanner searches the internet for vulnerable machines and infects them with the malware.|
|Used only on Windows machines, this script adds a backdoor user to the system.|
|This is the cryptominer’s configuration file.|
The init and update scripts share the same content on each platform. They are used for both installing the malware and updating its components. The init script will run as part of the initial payload, and he update script will run as scheduled task (cron in Linux).
The init script for Linux is aggressive, removing competing miners and malwares, blocking ports, adding backdoor keys, and disabling SELINUX. The Windows init script runs a few basic steps, not as sophisticated as the init script for Linux. As this script was not found in earlier variants, researchers assume targeting Windows is a new addition to this malware.
Miner – sysupdate/sysupadte.exe
The cryptominer is based on the known XMRig miner, which is an open source tool. The configuration file is config.json.
Watchdog – sysguard/sysgurad.exe
The watchdog makes sure that the scanner and miner are up and running and that all components are up to date. If it fails to connect to the command-and-control server, it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account.
The watchdog is written in Go (stripped and compressed using UPX).
Backdoor user – Clean.bat
Used only on Windows machines, this script will simply add another user to the system. The init/update scripts for Linux systems perform a similar step by adding authorized SSH key to the system.
Scanner – networkservice/networkservice.exe
Written in Go (stripped and compressed using UPX), the scanner component will spread the malware by scanning the internet for vulnerable machines and infecting them with the malware. The scanner will simply generate a random IP (avoiding 127.x.x.x, 10.x.x.x and 172.x.x.x) and will try to attack the machine behind it.
Following a successful takeover, it will report back to the command-and-control server, hxxp://126.96.36.199/E5DB0E07C3D7BE80V520/ReportSuccess/<IP>/<Exploit type>.
The scanner will also report its progress back to the command-and-control server,
hxxp://188.8.131.52/E5DB0E07C3D7BE80V520/Iamscan/<scan count>Protect your #Windows and #Linux machines from these targeted attacks. The #malware spreads as a worm, searching and infecting other vulnerable machinesClick To Tweet
Exploits of the new cryptominer malware variant
|Orcale WebLogic||7001/7002||CVE-2017-10271||The malware will try to exploit CVE-2017-10271 and drop payloads for both Windows and Linux.
|ElasticSearch||9200||CVE-2015-1427 CVE-2014-3120||The malware will try to exploit both CVE-2015-1427 and CVE-2014-3120 and drop a payload for Linux.
|Drupal||N/A||CVE-2018-7600||This exploit seems to be disabled, yet it is still present in the code. The exploit uses CVE-2018-7600 and drops a payload for Linux.
|ThinkPHP||80/8080||CVE-2018-20062, N/A||The malware will try to exploit two vulnerabilities in the ThinkPHP framework and drop payloads for both Windows and Linux.|
|Hadoop||8088||N/A||The malware will drop payload for Linux using this exploit.|
|Redis||6379/6380||N/A||First, it will try to find credentials if required (dictionary attack). If successful, it will use a known method for achieving RCE by dumping the db file into cron path.|
|MSSQL||1433||N/A||The malware will first try to find the credentials (dictionary attack) for the mssql server. If successful, it will drop a payload for Windows.|
|IoT devices||N/A||N/A||This exploit seems to be disabled, yet it is still present in the code. The exploit targets IoT devices (CCTV).|
How to protect against these attacks
There are a few important steps you can take to protect against this malware variant.
Web application firewall — Make sure you have a properly-configured web application firewall in place. This malware variant spreads by scanning the internet for vulnerable machines. Many organizations overlook application security, but it’s still a top threat vector that cybercriminals look to exploit.
Stay up to date on patches — As this malware shows, cybercriminals are always scanning for vulnerabilities to exploit. Staying current on security patches and updates will help your business stay ahead of these threats.
Monitor systems for suspicious activity — Knowing how this malware variant works will help you monitor your organization’s Windows and Linux servers for this type of activity, so you can remediate any attacks as soon as possible. Make sure you have a solution in place to help monitor for this type of activity and educate your security team on the warning signs.