This article is the complete analysis of a new campaign that F5 threat researchers discovered and tweeted about on June 14.
On June 10, F5 threat researchers discovered a new campaign targeting Apache Struts 2 servers that use the Jakarta Multipart Parser (CVE-2017-5638). This campaign has some unique capabilities that have not been combined before. This campaign compiles its own C# dropper that downloads a .NET packed malware, uses a C# developer’s forum as its command and control (C&C) server, and decode the C&C command using its own decoder. These are just a few of this operation’s capabilities.
This operation employs multiple stages, where all command injections are delivered using an Apache Struts 2 Jakarta Multipart Parser exploit.
The first stage involves terminating tools on the exploited machine that are used for malware detection and general monitoring.
The attacker uses the taskkill command to force (/f flag is used) termination of multiple applications.
Among these applications we can see Qihoo 360’s 360 Total Security, AhnLab antivirus, and KingSoft PC Doctor executables, as well as Windows Task Manager. Following is the full list of applications this campaign tries to terminate:
Malicious Java payload creates a C# source code file in C:\ProgramData\update.cs on the exploited system.
The next two requests inject commands to compile the C# code on two common .NET frameworks, v2.0.50727 and v4.0.30319, The generated binary executable is saved in C:\ProgramData\update.exe.
The next command injection runs the generated downloader executable to download the malware from hxxp://126.96.36.199:8080/netxmr4.exe and save the downloaded file to C:\ProgramData\usb.exe on the exploited system.
Once the malware is downloaded to the exploited system, the attacker injects a command to run the malicious file.
After running the malware, the attacker tries to delete the operation traces, including the C# downloader source code and executable and the malware file. We couldn’t locate or recreate another file which the attacker tried to delete, C:\ProgramData\d.txt, but we assume it’s some kind of a log file.
After sending all the requests as described above, the attacker sends each of them again, this time using C:\wmpub\ path instead of C:\ProgramData\, probably to target machines running Microsoft Windows Server OS.
Once the malware starts, it downloads hxxp://www.sufeinet.com/space-uid-97643.html.
This URL links to a user profile page with text that seems to be base64-encoded.
Trying to decode the text in the page using base64 didn’t work, so we concluded this must be a private encryption or encoding method. To decode this text, we needed to dig deeper and analyze the malware.
Trying to disassemble the downloaded malware provided very little information, mostly irrelevant. After some additional analysis, we found the malware to be packed (obfuscated) using ConfuserEx v1.0.0, which is a free, open-source packer for .NET applications, v1.0.0 being its latest release.
ConfuserEx v1.0.01 has an open source unpacker, ConfuserEx-Unpacker,2 which we didn’t use. Instead, we dumped the malware process memory and extracted the relevant malicious file memory to a separate file that was unpacked and easy to analyze.
Using a .NET decompiler, we were able to easily browse the unpacked malware code, which revealed some interesting findings.
Under a class named GetXmrCommand, a function named GetExeCmd holds an interesting string that seems like a base64-encoded string but isn’t. This is similar to the text seen in the C&C user profile page. A function named “Base64” in the same class uses this string as a parameter, and the result is then passed to .Net function WebRequest.Create, which should receive a URL as parameter. This means that the “Base64” function turns the encoded string into a readable URL.
Looking into the function named “Base64” revealed the decoding code, which unscrambles the string, then uses the real base64 decoder to get the plaintext.
After implementing a small decoder, we were able to receive the decoded string, which was hxxp://www.sufeinet.com/space-uid-97643.html. The same one the malware accessed when it started: the user profile page. With that said, building that small decoder wasn’t in vain as a couple of lines later, the profile page is being parsed to extract the encoded command, which we can now decode.
After downloading the profile html file, the code searches for the first appearance of the string “xMF0R”, then skips these characters in the encoded string and decode the rest of the string.
When decoding the string using the same mechanism we got the following text:
“-a cryptonight -o stratum+tcp://pool.supportxmr.com:3333 -u 44873Xameckc4wR21AdrM5fnoFHKZJSVj6cBADTgFTrEEN94jP2XfQZ74PMRiqoYHnBu2cCe32wLx7gKHnQpfFqCLb6Ryn2 -p x --donate-level=1”
The C&C string on the user profile page turned out to be command line parameters to a Monero miner. We’ll review the mining operation in the next section.
As part of the malware operation, several files were downloaded, one of which is the XMRig Monero crypto-currency miner.3 Reviewing the XMrig parameters we discovered above revealed the following:
Reviewing the payment address on the mining server revealed more details about this operation.
According to the information provided on the mining server website, this operation began around June 1.
For reference, a slow mining device with 2 GB DDR3 memory, and an NVIDIA GEFORCE GT 710 graphic card can reach to about 50H/s whereas a top-of-the-line custom rig costing around $12,000 USD can reach rates of 24,000H/s or 24KH/s.6 With the average hash rate of around 60KH/s for this mining operation, we can conclude that there are multiple devices participating in the mining action.
In addition to the functionality already listed, this malware has some more tricks up its sleeve.
The “CheckProcess” function kills fake “taskmgr” processes that don’t have “Microsoft Corporation” in the version information. This is probably done to remove the competition and, in general, any process taking valuable mining resources. The “CheckProcess” function also validates “svchost” and “csrss”.
If any of these processes are found illegitimate they will be forcefully terminated, denied from all permissions and their relevant files will be changed to super hidden.
The following files are created by the malware on the exploited system. These files are not deleted by the malware as the ones in the initial infection stage.
These files will be super hidden on the system, so system admins can use the following command to view the files. ioc_file_path should be replaced with one of the files names above:
dir /aHS ioc_file_path
Since the crypto currency market peak in December 2017, the crypto-mining malware trend is at the core of most campaigns using remote-command-execution exploits, with XMRig being the miner most frequently used. Off-the-shelf working exploits and open-source mining projects have made the malicious crypto-mining business too tempting to refuse for threat actors. With popularity, came the competition for resources, and that led to innovation and creativity as within any market.
C# on its own is scarcely used in malicious operations. Add runtime compiling, packing (obfuscating) C#, private string decoder and a user profile page serving as C&C and you get a very creative operation—one that may indicate a shift toward creativity in the crypto-mining malware scene. Following the findings in our latest article about another campaign targeting Struts 2 and WebLogic and using VBScript, we expect the malicious mining operations to continue and evolve with multi-exploit campaigns, obfuscated malware, and private decoders and encryptors to be more common in the near future.