16
MARCH, 2018
Vulnerability
Windows
Cryptominer
A new cryptojacking campaign is attempting to install cryptominers on both database and application servers by targeting misconfigured Redis servers, and Windows servers that are vulnerable to the EternalBlue NSA exploit.
Redis servers

The first attack dubbed ‘RedisWannaMine’ has been found to be using remote code execution vulnerabilities such as CVE-2017-9805 (REST plugin vulnerability in Apache Struts) to download a cryptominer and execute an external resource.

‘RedisWannaMine’, unlike most cryptojacking threats, is more complex with regards to evasion techniques and capabilities. It demonstrates a worm-like behaviour combined with advanced exploits to increase the attackers’ infection rate.

The external resource was located on a remote host which included several suspicious files, one of which was a shell script that downloads a cryptominer called ‘transfer.sh’.  Upon successful infection, this file installs a publicly available tool called ‘masscan’ allocated from GitHub as an Internet port scanner that can sweep the entire internet. A process called ‘redisscan.sh’ can then be launched which utilises ‘masscan’ to discover and infect public Redis servers with cryptomining malware.

Screenshot of exploit process
Windows servers

The campaign has also been observed using the EternalBlue Server Message Block (SMB) exploit. This attack vector involves a script that runs another scanning process called ‘ebscan.sh’, that uses the masscan tool to discover publicly available Windows servers with the SMB vulnerability CVE-2017-0144.

‘ebrun.sh’ then runs a Python implementation of the EternalBlue exploit – the exploit that was used to spread WannaCry ransomware, one of the biggest cyberattacks in the world. This process then drops the file ‘x64.bin’ in the vulnerable machine, which contains code to create a malicious VBScript file. The file then downloads an executable from an external location, saves it in the vulnerable server as ‘admissioninit.exe’ and runs it.

Recommendations

Users should:

  • Patch their web applications and databases.
  • Configure their Redis servers, which can be achieved with a simple firewall rule.
  • Ensure that machines aren’t running the vulnerable SMB protocol.

Keep Up To Date

Join our mailing list to receive the latest news and updates from Secrutiny.

We hate spam and promise to keep your email address safe. You can always unsubscribe at any time…