This article is the complete analysis of a new campaign that F5 threat researchers discovered and tweeted about on June 14.
On June 10, F5 threat researchers discovered a new campaign targeting Apache Struts 2 servers that use the Jakarta Multipart Parser (CVE-2017-5638). This campaign has some unique capabilities that have not been combined before. This campaign compiles its own C# dropper that downloads a .NET packed malware, uses a C# developer’s forum as its command and control (C&C) server, and decode the C&C command using its own decoder. These are just a few of this operation’s capabilities.
Killing Monitoring Apps
This operation employs multiple stages, where all command injections are delivered using an Apache Struts 2 Jakarta Multipart Parser exploit.
The first stage involves terminating tools on the exploited machine that are used for malware detection and general monitoring.
The attacker uses the taskkill command to force (/f flag is used) termination of multiple applications.
Figure 1: Using Apache Struts 2 exploit to deliver command to forcefully terminating QQProtect.exe process
Among these applications we can see Qihoo 360’s 360 Total Security, AhnLab antivirus, and KingSoft PC Doctor executables, as well as Windows Task Manager. Following is the full list of applications this campaign tries to terminate:
C# Downloader Compiles at Runtime
Malicious Java payload creates a C# source code file in C:\ProgramData\update.cs on the exploited system.
Figure 2: Apache Struts 2 request payload part that injects a command to create the C# downloader
The next two requests inject commands to compile the C# code on two common .NET frameworks, v2.0.50727 and v4.0.30319, The generated binary executable is saved in C:\ProgramData\update.exe.
Figures 3: Apache Struts 2 requests payload parts that inject commands to compile the C# downloader
The next command injection runs the generated downloader executable to download the malware from hxxp://188.8.131.52:8080/netxmr4.exe and save the downloaded file to C:\ProgramData\usb.exe on the exploited system.
Figure 4: Apache Struts 2 request payload part that injects a command to download the campaign malware
Running the Malware and Deleting Traces
Once the malware is downloaded to the exploited system, the attacker injects a command to run the malicious file.
Figure 5: Attacker injects command to run the malicious file
After running the malware, the attacker tries to delete the operation traces, including the C# downloader source code and executable and the malware file. We couldn’t locate or recreate another file which the attacker tried to delete, C:\ProgramData\d.txt, but we assume it’s some kind of a log file.
Figure 6: Injected command to delete malicious traces
Windows Server Compatibility?
After sending all the requests as described above, the attacker sends each of them again, this time using C:\wmpub\ path instead of C:\ProgramData\, probably to target machines running Microsoft Windows Server OS.
Figure 7: One of the many Injected commands to target servers running Microsoft Windows Server OS
User Profile Page as the C&C
Once the malware starts, it downloads hxxp://www.sufeinet.com/space-uid-97643.html.
This URL links to a user profile page with text that seems to be base64-encoded.
Figure 8: Malware request sent to fetch the user profile page
Figure 9: The user profile page, holding text that seems to be base64-encoded.
Trying to decode the text in the page using base64 didn’t work, so we concluded this must be a private encryption or encoding method. To decode this text, we needed to dig deeper and analyze the malware.
Trying to disassemble the downloaded malware provided very little information, mostly irrelevant. After some additional analysis, we found the malware to be packed (obfuscated) using ConfuserEx v1.0.0, which is a free, open-source packer for .NET applications, v1.0.0 being its latest release.
ConfuserEx v1.0.01 has an open source unpacker, ConfuserEx-Unpacker,2 which we didn’t use. Instead, we dumped the malware process memory and extracted the relevant malicious file memory to a separate file that was unpacked and easy to analyze.
Using a .NET decompiler, we were able to easily browse the unpacked malware code, which revealed some interesting findings.
Figure 10: Browsing the classes in the unpacked malware using a .NET decompiler
Decoding the C&C Command
Under a class named GetXmrCommand, a function named GetExeCmd holds an interesting string that seems like a base64-encoded string but isn’t. This is similar to the text seen in the C&C user profile page. A function named “Base64” in the same class uses this string as a parameter, and the result is then passed to .Net function WebRequest.Create, which should receive a URL as parameter. This means that the “Base64” function turns the encoded string into a readable URL.
Figure 11: GetExeCmd, an encoded string, is decoded using a function named “Base64” to produce a URL
Looking into the function named “Base64” revealed the decoding code, which unscrambles the string, then uses the real base64 decoder to get the plaintext.
Figure 12: “Base64” function, which decodes the URL encoded string
After implementing a small decoder, we were able to receive the decoded string, which was hxxp://www.sufeinet.com/space-uid-97643.html. The same one the malware accessed when it started: the user profile page. With that said, building that small decoder wasn’t in vain as a couple of lines later, the profile page is being parsed to extract the encoded command, which we can now decode.
After downloading the profile html file, the code searches for the first appearance of the string “xMF0R”, then skips these characters in the encoded string and decode the rest of the string.
Figure 13: GetExeCmd code section which decodes the string in the user profile page
When decoding the string using the same mechanism we got the following text:
“-a cryptonight -o stratum+tcp://pool.supportxmr.com:3333 -u 44873Xameckc4wR21AdrM5fnoFHKZJSVj6cBADTgFTrEEN94jP2XfQZ74PMRiqoYHnBu2cCe32wLx7gKHnQpfFqCLb6Ryn2 -px --donate-level=1”
The C&C string on the user profile page turned out to be command line parameters to a Monero miner. We’ll review the mining operation in the next section.
As part of the malware operation, several files were downloaded, one of which is the XMRig Monero crypto-currency miner.3 Reviewing the XMrig parameters we discovered above revealed the following:
- “-o stratum+tcp://pool.supportxmr.com:3333” is the URL of the mining server
- “-u 44873Xameckc4wR21AdrM5fnoFHKZJSVj6cBADTgFTrEEN94jP2XfQZ74PMRiqoYHnBu2cCe32wLx7gKHnQpfFqCLb6Ryn2” is the payment address
- “-p x” is the password for the mining server
- “--donate-level=1” sets the percentage of time dedicated to mine for XMRig creators as a donation; the attacker sets this to the minimal possible of 1%
Reviewing the payment address on the mining server revealed more details about this operation.
Figure 14: Statistics of the Monero mining payment address belonging to the attacker
According to the information provided on the mining server website, this operation began around June 1.
For reference, a slow mining device with 2 GB DDR3 memory, and an NVIDIA GEFORCE GT 710 graphic card can reach to about 50H/s whereas a top-of-the-line custom rig costing around $12,000 USD can reach rates of 24,000H/s or 24KH/s.6 With the average hash rate of around 60KH/s for this mining operation, we can conclude that there are multiple devices participating in the mining action.
Kill Opponents and Avoid Monitoring
In addition to the functionality already listed, this malware has some more tricks up its sleeve.
The “CheckProcess” function kills fake “taskmgr” processes that don’t have “Microsoft Corporation” in the version information. This is probably done to remove the competition and, in general, any process taking valuable mining resources. The “CheckProcess” function also validates “svchost” and “csrss”.
If any of these processes are found illegitimate they will be forcefully terminated, denied from all permissions and their relevant files will be changed to super hidden.
Figure 15: CheckProcess function deals with processes that may interfere with the mining action
Indications of Compromise
The following files are created by the malware on the exploited system. These files are not deleted by the malware as the ones in the initial infection stage.
These files will be super hidden on the system, so system admins can use the following command to view the files. ioc_file_path should be replaced with one of the files names above:
dir /aHS ioc_file_path
Malicious Mining is Getting Creative
Since the crypto currency market peak in December 2017, the crypto-mining malware trend is at the core of most campaigns using remote-command-execution exploits, with XMRig being the miner most frequently used. Off-the-shelf working exploits and open-source mining projects have made the malicious crypto-mining business too tempting to refuse for threat actors. With popularity, came the competition for resources, and that led to innovation and creativity as within any market.
C# on its own is scarcely used in malicious operations. Add runtime compiling, packing (obfuscating) C#, private string decoder and a user profile page serving as C&C and you get a very creative operation—one that may indicate a shift toward creativity in the crypto-mining malware scene. Following the findings in our latest article about another campaign targeting Struts 2 and WebLogic and using VBScript, we expect the malicious mining operations to continue and evolve with multi-exploit campaigns, obfuscated malware, and private decoders and encryptors to be more common in the near future.