cryptominer malware

Threat Spotlight: New cryptominer malware variant

Print Friendly, PDF & Email

A new variant of the cryptominer malware known as Golang is targeting both Windows and Linux machines. While the volume of attacks is low because the variant is so new, Barracuda researchers have seen seven source IP addresses linked to this malware so far, all based in China. Instead of targeting end users, this new malware attacks servers.

Here’s a closer look at this evolving threat and solutions to help detect, block, and remediate the attacks.

Highlighted Threat

New variant of “Golang” malware This new malware variant attacks web application frameworks, application servers, and non-HTTP services such as Redis and MSSQL. Its main goal is to mine Monero cryptocurrency using a known miner, XMRig. The malware spreads as a worm, searching and infecting other vulnerable machines.

Earlier variants of this malware targeted only Linux machines, but this new iteration is also attacking Windows machines and uses a new pool of exploits. For example, some of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China. Similar to other families of malware, it is safe to assume this malware will keep evolving, employing more and more exploits.

Instead of targeting end users, this #malware focuses on attacking servers instead. Here’s what you can do to protect your business #cryptominingClick To Tweet

The Details

Once the malware infects a machine, it downloads the following files, which are customized based upon the platform being attacked. The attacks follow the same playbook, though, including an initial payload, an update script, a miner, a watchdog, a scanner, and a config file for the cryptominer. For Windows machines, the malware also adds a backdoor user.

Linux Windows Description
init.sh

4cc8f97c2bf9cbabb2c2be292886212a

init.ps1

ebd05594214f16529badf5e7033054aa

The init script runs as part of the initial payload.
update.sh

4cc8f97c2bf9cbabb2c2be292886212a

update.ps1

ebd05594214f16529badf5e7033054aa

Identical to the init script, the update script runs as a scheduled task.
Sysupdate

149c79bf71a54ec41f6793819682f790

sysupdate.exe

97f3dab8aa665aac5200485fc23b9248

The cryptominer is based on the known XMRig miner, an open source tool.
Sysguard

c31038f977f766eeba8415f3ba2c242c

sysgurard.exe

ba7fe28ec83a784b1a5437094c63182e

The watchdog makes sure the scanner and miner are up and running and all components are up to date.
networkservice

8e9957b496a745f5db09b0f963eba74e

networkservice.exe

a37759e4dd1be906b1d9c75da95d31a2

The scanner searches the internet for vulnerable machines and infects them with the malware.
N/A clean.bat

bfd3b369e0b6853ae6d229b1aed410a8

Used only on Windows machines, this script adds a backdoor user to the system.
config.json

c8325863c6ba60d62729decdde95c6fb

config.json

c8325863c6ba60d62729decdde95c6fb

This is the cryptominer’s configuration file.

Init/update scripts

The init and update scripts share the same content on each platform. They are used for both installing the malware and updating its components. The init script will run as part of the initial payload, and he update script will run as scheduled task (cron in Linux).

The init script for Linux is aggressive, removing competing miners and malwares, blocking ports, adding backdoor keys, and disabling SELINUX. The Windows init script runs a few basic steps, not as sophisticated as the init script for Linux. As this script was not found in earlier variants, researchers assume targeting Windows is a new addition to this malware.

Miner – sysupdate/sysupadte.exe

The cryptominer is based on the known XMRig miner, which is an open source tool. The configuration file is config.json.

Watchdog – sysguard/sysgurad.exe

The watchdog makes sure that the scanner and miner are up and running and that all components are up to date. If it fails to connect to the command-and-control server, it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account.

The watchdog is written in Go (stripped and compressed using UPX).

Backdoor user – Clean.bat

Used only on Windows machines, this script will simply add another user to the system. The init/update scripts for Linux systems perform a similar step by adding authorized SSH key to the system.

Scanner – networkservice/networkservice.exe

Written in Go (stripped and compressed using UPX), the scanner component will spread the malware by scanning the internet for vulnerable machines and infecting them with the malware. The scanner will simply generate a random IP (avoiding 127.x.x.x, 10.x.x.x and 172.x.x.x) and will try to attack the machine behind it.

Following a successful takeover, it will report back to the command-and-control server, hxxp://185.181.10.234/E5DB0E07C3D7BE80V520/ReportSuccess/<IP>/<Exploit type>.

The scanner will also report its progress back to the command-and-control server,

hxxp://185.181.10.234/E5DB0E07C3D7BE80V520/Iamscan/<scan count>

Protect your #Windows and #Linux machines from these targeted attacks. The #malware spreads as a worm, searching and infecting other vulnerable machinesClick To Tweet

Exploits of the new cryptominer malware variant

Vendor PORTS CVE Description
Orcale WebLogic 7001/7002 CVE-2017-10271 The malware will try to exploit CVE-2017-10271 and drop payloads for both Windows and Linux.

 

ElasticSearch 9200 CVE-2015-1427 CVE-2014-3120 The malware will try to exploit both CVE-2015-1427 and CVE-2014-3120 and drop a payload for Linux.

 

Drupal N/A CVE-2018-7600 This exploit seems to be disabled, yet it is still present in the code. The exploit uses CVE-2018-7600 and drops a payload for Linux.

 

ThinkPHP 80/8080 CVE-2018-20062, N/A The malware will try to exploit two vulnerabilities in the ThinkPHP framework and drop payloads for both Windows and Linux.
Hadoop 8088 N/A The malware will drop payload for Linux using this exploit.
Redis 6379/6380 N/A First, it will try to find credentials if required (dictionary attack). If successful, it will use a known method for achieving RCE by dumping the db file into cron path.
MSSQL 1433 N/A The malware will first try to find the credentials (dictionary attack) for the mssql server. If successful, it will drop a payload for Windows.
IoT devices N/A N/A This exploit seems to be disabled, yet it is still present in the code. The exploit targets IoT devices (CCTV).

How to protect against these attacks

There are a few important steps you can take to protect against this malware variant.

Web application firewall Make sure you have a properly-configured web application firewall in place. This malware variant spreads by scanning the internet for vulnerable machines. Many organizations overlook application security, but it’s still a top threat vector that cybercriminals look to exploit.

Stay up to date on patches As this malware shows, cybercriminals are always scanning for vulnerabilities to exploit. Staying current on security patches and updates will help your business stay ahead of these threats.

Monitor systems for suspicious activity Knowing how this malware variant works will help you monitor your organization’s Windows and Linux servers for this type of activity, so you can remediate any attacks as soon as possible. Make sure you have a solution in place to help monitor for this type of activity and educate your security team on the warning signs.

Check out the webinar to find out this threat

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top
Tweet
Share
Share