Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks hold roughly 90% of all remote code execution attacks in web applications.
Having said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.
This week we saw a new generation of cryptojacking attacks aimed at both database servers and application servers. We dubbed one of these attacks RedisWannaMine.
RedisWannaMine is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers’ infection rate and fatten their wallets.
In a nutshell, cryptojacking attackers have upped their game and they are getting crazier by the minute!
Cryptojacking 2.0/ RedisWannaMine
Imperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit CVE-2017-9805:
When we probed the remote server we found a list of suspicious files:
The list includes known malicious files, like minerd, but also some unknown suspicious files like transfer.sh.
When we submitted transfer.sh hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:
This shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:
- It downloads a crypto miner malware from an external location
- It gains persistency in the machine through new entries in crontab
- It gains remote access to the machine through a new ssh key entry in /root/.ssh/authorized_keys and new entries in the system’s iptables
However, this downloader is unlike any downloader we’ve seen before. In the following sections, we will list the new capabilities it offers.
The script installs a lot of packages using Linux standard package managers like apt and yum. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim’s machine. As a hint to things to follow we saw it installs packages like git, python, redis-tools, wget, gcc and make.
The script downloads a publicly available tool, named masscan, from a Github repository, then compiles and installs it.
The project page https://github.com/robertdavidgraham/masscan describes it as “TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.”
Also, it offers simple usage examples:
Redis scan and infection
The script then launches another process named “redisscan.sh”. The new process uses the masscan tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, internal and external and scanning port 6379 which is the default listening port of Redis.
If one of the IPs in the list is publicly available, the script launches the “redisrun.sh” process to infect it with the same crypto miner malware (“transfer.sh”). The infection is done using redis-cli command line tool, that the downloader previously installed, that runs the “runcmd” payload.
“runcmd” is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.
Notice that the attacker uses line feeds, “\n”, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:
SMB scan and infection
After the script completed the Redis scan, it launches another scan process named “ebscan.sh”. This time the new process uses the masscan tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, internal and external, and scanning port 445 which is the default listening port of SMB.
In case you’ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous “Eternal Blue” exploit. This exploit was later on adapted to carry out “WannaCry”, one the biggest cyberattacks in the world.
When the script finds a vulnerable server, it launches the “ebrun.sh” process to infect it.
“ebrun.sh” runs a Python implementation of the aforementioned “Eternal Blue” exploit and drops the file “x64.bin” in the vulnerable machine.
We used the strings command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named “poc.vbs” and runs it.
“poc.vbs” downloads an executable from an external location, saves it in the vulnerable server as “admissioninit.exe” and runs it. Needless to say, “admissioninit.exe” is a well-known crypto miner malware.
What should I do?
- Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.
- Make sure you don’t expose your Redis servers to the world. This can be achieved with a simple firewall rule.
- Make sure you don’t run machines with the vulnerable SMB version in your organization. You can use this awesome tool to do check it