Trend Micro Incorporated : Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify

Earlier this year, a security flaw identified asCVE-2021-41773wasdisclosedto Apache HTTP Server Project, a path traversal and remote code execution (RCE) flaw in Apache HTTP Server 2.4.49. If this vulnerability is exploited, it allows attackers to map URLs to files outside the directories configured by Alias-like directives. Under certain configurations where Common Gateway Interface (CGI) scripts are enabled for aliased paths, attackers can also use it for RCE. As the initial fix was deemed insufficient, a bypass was laterreportedfor the fix and tracked asCVE-2021-42013.

Official fixes have beenrolled outby Apache HTTP Server Project. However, when we looked at the malicious samples abusing this vulnerability, we found more of these exploits being abused to target different gaps in products and packages for malicious mining of Monero. In this blog, we look into the abuse of GitHub and Netlify repositories and platforms for hosting cryptocurrency-mining tools and scripts. We have already informed GitHub and Netlify of the malicious activities and they have taken down the accounts.

Technical details

We observed attackers targeting the following package and products via security vulnerabilities disclosed in 2020 and 2021 for malicious cryptocurrency-mining activities through samples caught in our honeypots:

1. Atlassian Confluence (CVE-2021-26084andCVE-2021-26085)

2. F5 BIG-IP (CVE-2020-5902)

3. VMware vCenter (CVE-2021-22005,CVE-2021-21985,CVE-2021-21972, andCVE-2021-21973)

4. Oracle WebLogic Server (CVE-2020-14882,CVE-2020-14750, andCVE-2020-14883)

5. Apache HTTP Server (CVE-2021-40438,CVE-2021-41773, andCVE-2021-42013)

Figure 1. Exploits attempting to abuse servers for malicious cryptocurrency mining from October 19 to November 19, 2021. Data taken from Trend Micro Cloud One™ – Workload Security.

We found it interesting that all the products and the particular package have had widely distributedpublicproofs of conceptforpre-authRCE. Looking at the Monero wallet from one such mining pool, we saw that the operation is still ongoing and actively accumulating Monero as of this writing.

Figure 2. Cryptocurrency-mining pool

Services abused: Targeting Windows hosts

Figure 3. Infection chain

The miner samples we found work on and abuse both Windows and Linux platforms. While the exploits used differ according to the infrastructure targeted, the batch scripts we identified works on both. We saw the usage of Netlify and GitHub as the malware file servers for downloading batch scripts from an attacker-controlled account. The batch script is renamed as a temporary file and deleted after it starts running in the background.

The scripts (c3.bat) are a modified version of Monero-mining helper scripts abridged fromGitHub, and these begin checking if the current session has administrative privileges. If the privilege is of the Administrator, then the ADMIN flags are set. Afterward, the length of the Monero wallet address is calculated. If the length is not 106 or 95 characters, the script exits. If it is 106 or 95, it jumps to “WALLET_LEN_OK” statement.

Figure 4. The batch scripts observed are modified versions of helper scripts abridged from GitHub.

Figure 5. Checks for administrative privileges and “XMR WALLET” flag to calculate address length

The script further conducts a series of checks in the system, such as if the USERPROFILE environment variable is defined, and whether utilities like wmic, powershell, find, findstr, and tasklist are available or not.

Figure 6. Checking the system for availability of environment variable and utilities

Figure 7. Getting the results for utilities’ availability in the system

The wmic utility is used to further enumerate specific parameters in the system, such as the number of processors, maximum clock speed, L2 and L3 cache sizes, and CPU sockets. These values are later used to calculate the Monero mining rate of the Windows host. For different mining rates, different ports are used on the mining pool.

Figure 8. Enumerating the system’s parameters to determine cryptocurrency mining rate

After identifying the CPU’s computing power, the running c3pool_miner is removed from the host. The zipped miner (c3.zip) is then downloaded from the attacker-controlled GitHub repository and PowerShell is used to unzip the downloaded file. If the unzip attempt fails, 7z is downloaded to extract the zipped file, and both the downloaded files (7za.exe and c3.zip) are deleted after.

Figure 9. Removing traces of the downloaded files after extraction

The script also goes on to install the latest version of XMRig for Windows from the official repository. After unzipping the downloaded file, the 7z binary and XMRig ZIP files are removed. Once the miner is successfully installed, the config files are modified using PowerShell.

Figure 10. Installing the latest XMR version in the system

Figure 11. Configuring and modifying the installed miner

If the miner is already running (c3.exe), the execution jumps to an ALREADY_RUNNING label. If not, the miner is executed using the “start” command in the IDLE priority class. If the current user has administrative privileges, then execution jumps to the label ADMIN_MINER_SETUP. If not, persistence is added by modifying the Startup directory with the batch scripts to execute c3pool XMR miner with the configuration file.

Figure 12. Configuring the miner’s admin privileges and persistence

A service is created from the c3cache_worker using the Non-Sucking Service Manager (NSSM). NSSM is a service helper program that helps install applications as services, and with it a user can specify logging to user-defined files.

Figure 13. Using NSSM to constantly run the miner as a background application in the infected system

Targeting Linux hosts
The shell script starts with an infinite loop to remove all competing cryptominers found in the infected system, such as kinsing, kdevtmpfsi, pty86, and .javae.

Figure 14. Removing all the cryptocurrency-mining competitors and their components found in the infected system in a loop

After all the competing miners are wiped out, the attribute of /var/spool/cron/root is made immutable and crontab is reloaded. Then, if there are any processes except java, redis, weblogic, mongod, mysql, oracle, tomcat, grep, postgres, confluence, awk, and aux that are raking up more than 60% of CPU usage, they are terminated.

Figure 15. Stopping all other processes except those necessary for running a miner in the system

A function “func1” (redacted) is called and the loop is reiterated after every 30 seconds.

We observed two content delivery networks (CDNs) being used as the FILE_CC_SERVER in GitHub and Netlify. Infunc1, a process “java.xnk” is checked for and if the CPU usage is above or equal to 60%, the process ID is fetched into a variable “p”. If the variable is empty, then the process is killed and three directories are created, namely:

  • a. /var/tmp/java.xnk

  • b. /var/lock/java.xnk

  • c. /tmp/java.xnk

Figure 16. The variable DIR contains the value of the valid TMP directory that was created.

Different paths for “wget” and “curl” binaries are checked for and assigned to variable Wget. A file “java.xnk.bionic” is checked in the path “$DIR”. If the file doesn’t exist, the valid Wget command is used to download and copy the file named “bionic” (a Monero miner) and “config.json,” which contains the Monero wallet address. Executable permissions are assigned for the downloaded binary and the binary is executed via nohup.

Similarly, the following binaries are downloaded and executed in place of the file “bionic” and repeat the process:

  1. focal as java.xnk.focal

  2. freebsd as java.xnk.freebsd

  3. linuxstatic as java.xnk.linux

  4. xenial as java.xnk.xenial

  5. xmr-stak as java.xnk.stak

Figure 17. Assigning binaries to Wget and executable permissions

Conclusion

Based on the frequency of attempts on the targeted products and the particular package in the past month, we believe there are more servers that remain unpatched and exposed to these exploits. More importantly, malicious actors will continue targeting these products and package for intrusion based on the availability of the proofs of concept, as well as the higher likelihood that these servers have yet to be patched. Moreover, due to the wide usage of Linux and Windows platforms and the fact that all the miners identified here work on both, illicit cryptocurrency mining makes for a lucrative business with regard to the high volume of systems that can be targeted.

The abuse of legitimate platforms such as GitHub and Netlify will continue due to the traffic being encrypted over HTTPS. If the machines targeted have intrusion detection and prevention solutions (IDS/IPS) in place, network artifacts will not contribute for detection. Moreover, IP reputation services will not flag these platforms as malicious because they are legitimate sources of programs and organizations. The CDNs of both platforms also offer ease and convenience in setting up an operation, as well as provide availability and speed – thus also aiding malicious actors with a wide and fast malware infection capability regardless of a victim’s location. These two factors in CDNs will likely prompt a development in the behavior of malicious actors who abusethese platformsfor infection, even for routines and attacks unrelated to cryptocurrency mining.

From another perspective, the malicious actors targeting these devices can appear almost unsophisticated considering the use of public proofs for attacks. The actors also operate on a regular basis and target as many machines as they can, given that they continue operating and getting cryptocurrency in their respective wallets despite the suspension of their GitHub and Netlify accounts.

Trend Micro solutions

Enterprises should consider using security solutions such as theTrend Micro Cloud One™platform, which protects cloud-native systems by securing continuous integration and continuous delivery (CI/CD) pipelines and applications. The platform includes:

Intrusion Prevention Rules

  1. 1011171 – Apache HTTP Server Directory Traversal Vulnerability (CVE-2021-41773 and CVE-2021-42013)

  2. 1011183 – Apache HTTP Server Server-Side Request Forgery Vulnerability (CVE-2021-40438)

  3. 1011117 – Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)

  4. 1011177 – Atlassian Confluence Server Arbitrary File Read Vulnerability (CVE-2021-26085)

  5. 1010850 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21972 and CVE-2021-21973)

  6. 1010983 – VMware vCenter Server Remote Code Execution Vulnerability (CVE-2021-21985)

  7. 1011167 – VMware vCenter Server File Upload Vulnerability (CVE-2021-22005)

  8. 1005934 – Identified Suspicious Command Injection Attack

  9. 1005933 – Identified Directory Traversal Sequence In Uri Query Parameter

  10. 1010388 – F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)

  11. 1010590 – Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)

Log Inspection Rules

  1. 1003447 – Web Server – Apache

Integrity Monitoring Rules

  1. 1002851 – Application – Apache HTTP Server

  1. 1125: HTTP: ../.. Directory Traversal

  2. 40260: HTTP: Atlassian Confluence Server and Data Center OGNL Injection Vulnerability

  3. 40417: HTTP: Atlassian Confluence Server S Endpoint Information Disclosure Vulnerability

  4. 39077: TCP: VMware vSphere Client vropspluginui Code Execution Vulnerability

  5. 39923: HTTP: VMware vCenter Server Remote Code Execution Vulnerability

  6. 40382: HTTP: VMware vCenter AsyncTelemetryController Arbitrary File Write Vulnerability

  7. 40361: HTTP: VMware vCenter Analytics service File Upload

  8. 39352: HTTP: F5 BIG-IP iControl REST Interface Login Request

  9. 39364: HTTP: F5 BIG-IP bash Suspicious Command Execution Request

  10. 39313: HTTP: F5 BIG-IP TMM Buffer Overflow Vulnerability

  11. 22087: HTTPS: F5 iControl iCall Script Privilege Escalation Vulnerability

  12. 37841: HTTP: F5 BIG-IP TMUI Code Execution Vulnerability

  13. 39360: HTTP: F5 BIG-IP iControl REST filePath Command Injection Vulnerability

  14. 38380: HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

Indicators of Compromise (IOCs)

View the full list of IOCshere.