Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks hold roughly 90% of all remote code execution attacks in web applications.

Having said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.

This week we saw a new generation of cryptojacking attacks aimed at both database servers and application servers. We dubbed one of these attacks RedisWannaMine.

RedisWannaMine is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets.



In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!

Cryptojacking 2.0/ RedisWannaMine

Imperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit CVE-2017-9805:



When we probed the remote server we found a list of suspicious files:



The list includes known malicious files, like minerd, but also some unknown suspicious files like transfer.sh.

When we submitted transfer.sh hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:



This shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:

It downloads a crypto miner malware from an external location

It gains persistency in the machine through new entries in crontab

It gains remote access to the machine through a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system’s iptables

However, this downloader is unlike any downloader we’ve seen before. In the following sections, we will list the new capabilities it offers.

Self-sufficient

The script installs a lot of packages using Linux standard package managers like apt and yum. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim’s machine. As a hint to things to follow we saw it installs packages like git, python, redis-tools, wget, gcc and make.

Github integration

The script downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it.



The project page https://github.com/robertdavidgraham/masscan describes it as “TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.”

Also, it offers simple usage examples:

Redis scan and infection

The script then launches another process named “redisscan.sh”. The new process uses the masscan tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, internal and external and scanning port 6379 which is the default listening port of Redis.



If one of the IPs in the list is publicly available, the script launches the “redisrun.sh” process to infect it with the same crypto miner malware (“transfer.sh”). The infection is done using redis-cli command line tool, that the downloader previously installed, that runs the “runcmd” payload.



“runcmd” is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.



Notice that the attacker uses line feeds, “

”, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:

SMB scan and infection

After the script completed the Redis scan, it launches another scan process named “ebscan.sh”. This time the new process uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, internal and external, and scanning port 445 which is the default listening port of SMB.





In case you’ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous “Eternal Blue” exploit. This exploit was later on adapted to carry out “WannaCry”, one the biggest cyberattacks in the world.

When the script finds a vulnerable server, it launches the “ebrun.sh” process to infect it.

“ebrun.sh” runs a Python implementation of the aforementioned “Eternal Blue” exploit and drops the file “x64.bin” in the vulnerable machine.



We used the strings command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named “poc.vbs” and runs it.

“poc.vbs” downloads an executable from an external location, saves it in the vulnerable server as “admissioninit.exe” and runs it. Needless to say, “admissioninit.exe” is a well-known crypto miner malware.



What should I do?

Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.

Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule.

Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use this awesome tool to do check it

IOC

Hosts:

http://ipfs.io/

http://admission.fri3nds.in/

IPs:

147.135.130.181

217.182.195.23

Files:

615f70c80567aab97827f1a0690987061e105f004fbc6ed8db8ebee0cca59113 transfer.sh

260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79 clay

2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2 minerd

eb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d admission.exe

f8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79 xmr-32.exe

e1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db xmr-64.exe

cdadd649c42d28264277dd8edd5b6de23c8070fbf7b5a5ecdcbe03d99613efba ebrun.sh

b2f5abb708c3481ad69aa459e3107c892bceafd26122129c84338cac92bf4797 ebscan.sh

99a4ded26895422707f7c92eca9c9d64212cc033c50010fb027fe32ab55386d9 eternalblue_exploit7.py

34022a65a3eb93b109ed4c6e1233c6404197818a70f51ab654e2c7e474ee2539 eternalblue_exploit8.py

9040274f28d8dbe9e2372fec6482964fa2de8a790c818a3238d0af5fda6c3dbf order.py

c7ed3da4e8d29474909bb0c57e788799fbd3ff96a00e2a0d8f752ed494b9773f rangeip.py

e74e8b14e00de1cdf14d885e3b8a85d33e33e0b239e202243fc4edeeb84a1325 redisrun.sh

794a891cae3374bf28c78eeb3ca39bd59f6ed927f28477561cc0fd11909f34fb redisscan.sh

1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971 runcmd

e3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c x64.bin